.. / Slmgr.vbs
Star

Script used to manage windows license activation


Paths:


Resources:
https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology
https://www.youtube.com/watch?v=3gz1QmiMhss

Acknowledgement:
Matt Nelson - @enigma0x3
Casey Smith - @subtee


Detection:



Execute

Hijack the Scripting.Dictionary COM Object to execute remote scriptlet (SCT) code
reg.exe import c:\path\to\Slmgr.reg & cscript.exe /b c:\windows\system32\slmgr.vbs
Usecase:Proxy execution
Privileges required:User
OS:Windows 10
Mitre:T1216