Delete Slmgr - COM Hijacks are too broad

2024-09-20 10:41:47 +02:00 · 2020-07-03 10:15:06 -04:00 · 2020-07-03 10:15:06 -04:00 · e316cb4842
commit e316cb4842
parent 12cdb47285
1 changed files with 0 additions and 31 deletions
--- a/yml/OSScripts/Slmgr.yml
+++ b/yml/OSScripts/Slmgr.yml
@ -1,31 +0,0 @@
---
-Name: Slmgr.vbs
-Description: Script used to manage windows license activation
-Author: 'Oddvar Moe'
-Created: '2018-05-25'
-Commands:
-  - Command: reg.exe import c:\path\to\Slmgr.reg & cscript.exe /b c:\windows\system32\slmgr.vbs
-    Description: Hijack the Scripting.Dictionary COM Object to execute remote scriptlet (SCT) code
-    Usecase: Proxy execution
-    Category: Execute
-    Privileges: User
-    MitreID: T1216
-    MitreLink: https://attack.mitre.org/wiki/Technique/T1216
-    OperatingSystem: Windows 10
-Full_Path:
-  - Path: C:\Windows\System32\slmgr.vbs
-  - Path: C:\Windows\SysWOW64\slmgr.vbs
-Code_Sample: 
-  - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSScripts/Payload/Slmgr_calc.sct
-  - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSScripts/Payload/Slmgr.reg
-Detection:
-  - IOC:
-Resources:
-  - Link: https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology
-  - Link: https://www.youtube.com/watch?v=3gz1QmiMhss
-Acknowledgement:
-  - Person: Matt Nelson
-    Handle: '@enigma0x3'
-  - Person: Casey Smith
-    Handle: '@subtee'
---