{
	"id": "b2ad90f4-2fc1-490f-a441-2b382b4307ea",
	"created_at": "2026-04-06T02:12:54.482348Z",
	"updated_at": "2026-04-10T03:21:11.863677Z",
	"deleted_at": null,
	"sha1_hash": "600dcc88091fcf8c10ef78fa6b63fe822d7e6ec3",
	"title": "WSH Injection: A Case Study",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 199032,
	"plain_text": "WSH Injection: A Case Study\r\nPublished: 2017-08-03 · Archived: 2026-04-06 01:54:25 UTC\r\nAt BSides Nashville 2017, Casey Smith (@SubTee) and I gave a talk titled Windows Operating System\r\nArchaeology. At this talk, we released a handful of offensive techniques that utilized the Component Object Model\r\n(COM) in Windows. One such technique described was abusing attacker controlled input passed to calls to\r\nGetObject(), which I will be discussing here.\r\nSome environments use whitelisting to prevent unsigned Windows Scripting Host (WSH) files from running,\r\nespecially with the rise of malicious .js or .vbs files. However, by “injecting” our malicious code into a Microsoft\r\nsigned WSH script, we can bypass such a restriction.\r\nBefore diving into the different scripts that can be used for injection, it’s important to understand some of the\r\nmechanics behind why this works. When abusing injection, we are taking advantage of attacker controlled input\r\npassed to GetObject() and then combining that with the “script:” or “scriptlet:” COM monikers.\r\nGetObject()\r\nThis method allows you to access an already instantiated COM object. If there isn’t an instance of the object\r\nalready (if invoked without a moniker), this call will fail. For example, accessing Microsoft Excel’s COM object\r\nvia GetObject() would look like this:\r\nSet obj = GetObject( , \"Excel.Application\")\r\nFor the above to work, an instance of Excel has to be running. You can read more about GetObject() here. \r\nCOM Monikers\r\nWhile GetObject() is interesting by itself, it only allows us to access an instance of an already instantiated COM\r\nobject. To get around this, we can implement a COM moniker to facilitate our payload execution. If you aren’t\r\nfamiliar with COM monikers, you can read more about them here. There are various COM monikers on Windows\r\nthat allow you to instantiate objects in various ways. From an offensive standpoint, you can use these monikers to\r\nexecute malicious code. That is a topic for another blog post :-).\r\nFor this post, we will focus on the “script:” and “scriptlet:” monikers. These particular monikers interface with\r\nscrobj.dll and help facilitate execution of COM scriptlets, which will be the payload. This was discovered by\r\nCasey Smith (@SubTee) and discussed at DerbyCon 2016 as well as blogged about here.\r\nAn example COM scriptlet will look like this:\r\n\u003c?XML version=\"1.0\"?\u003e\r\nvar r = new ActiveXObject(\"WScript.Shell\").Run(\"calc.exe\");\r\n]]\u003e\r\n\u003c/scriptlet\u003e\r\nhttps://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/\r\nPage 1 of 3\n\nYou can also use James Forshaw’s (@tiraniddo) tool DotNetToJScript to extend the JScript/VBScript in the COM\r\nScriptlet, allowing for Win32 API access and even Shellcode execution. When you combine one of these two\r\nmonikers and various calls to GetObject(), a lot of fun is had.\r\nNow that the very brief COM background is over, time to look at an example 🙂\r\nPubPrn.vbs\r\nOn Windows 7+, there is a Microsoft Signed WSH script called “PubPrn.vbs,” which resides in\r\n“C:\\Windows\\System32\\Printing_Admin_Scripts\\en-US”. When looking at this particular script, it becomes\r\napparent that it is taking input provided by the user (via command line arguments) and passing an argument to\r\n“GetObject()”.\r\nThis means that we can run this script and pass it the two arguments it expects. The first argument can be anything\r\nand the second argument is the payload via the script: moniker.\r\nNote: If you provide a value that isn’t a network address for the first argument (since it expects a ServerName),\r\nyou can add the “/b” switch to cscript.exe when calling to suppress any additional error messages.\r\nhttps://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/\r\nPage 2 of 3\n\nSince VBScript relies on COM to perform actions, it is used heavily in numerous Microsoft signed scripts. While\r\nthis is just one example, there are bound to be others that can be exploited in a similar fashion. I encourage you to\r\ngo hunting 🙂\r\nMatt N.\r\nSource: https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/\r\nhttps://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/"
	],
	"report_names": [
		"wsh-injection-a-case-study"
	],
	"threat_actors": [],
	"ts_created_at": 1775441574,
	"ts_updated_at": 1775791271,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/600dcc88091fcf8c10ef78fa6b63fe822d7e6ec3.pdf",
		"text": "https://archive.orkl.eu/600dcc88091fcf8c10ef78fa6b63fe822d7e6ec3.txt",
		"img": "https://archive.orkl.eu/600dcc88091fcf8c10ef78fa6b63fe822d7e6ec3.jpg"
	}
}