Given at BSides Nashville 2017. The modern Windows Operating System carries with it an incredible amount of legacy code. The Component Object Model (COM) has left a lasting impact on Windows. This technology is far from dead as it continues to be the foundation for many aspects of the Windows Operating System. You can find hundreds of COM Classes defined by CLSID (COM Class Identifiers). Do you know what they do? This talk seeks to expose tactics long forgotten by the modern defender. We seek to bring to light artifacts in the Windows OS that can be used for persistence. We will present novel tactics for persistence using only the registry and COM objects.
2. Who Are We?
- Casey Smith (@subTee)
- Mandiant Red Team
- subt0x10.blogspot.com
- Matt Nelson (@enigma0x3)
- Operator and Security Researcher at SpecterOps
- enigma0x3.net
3. Objectives For This Talk
Foster curiosity & further research
Provide references
Call attention to the attack surface and capabilities
4. What Will We Discuss?
COM Overview
COM Research Methodology
Malicious COM Tactics
6. COM Architecture and History - in 2 minutes ;-)
What are COM components?
COM components are cross-language classes backed by:
DLL (Dynamic-Link Libraries)
OCX (ActiveX controls)
TLB (Type Libraries )
EXE (Executables)
SCT ( XML files )
Location Transparency Principle
7. Example - COM Scriptlet XML
XML Files - We use these for POC examples
Registration Block
8. COM Object Type Registration
To find a component when a program needs it,
it is USUALLY registered
What Registry keys are related to COM object registration?
HKLM
+ HKCU
HKCR
9. What registry entries are needed to register a COM object?
https://blogs.msdn.microsoft.com/larryosterman/2006/01/11/what-registry-entries-
are-needed-to-register-a-com-object/
Also XRef:
Minimal COM object registration
https://blogs.msdn.microsoft.com/larryosterman/2006/01/05/minimal-com-object-
registration/
22. In Memory Assembly Execution JScript/VBScript
https://github.com/tyranid/DotNetToJScript
This is Amazing!
Executes a .NET assembly IN JSCRIPT
This dramatically extends capabilities of COM Scriptlets
No Dll On Disk.
Works for .NET 2 and 3.5 Only
28. Persistence via COM Hijacking
Leveraging Per-User COM Objects, we can divert resolution to an object under
our control.
Registry Only Persistence
“TreatAs” hijack
COM handler hijacking (scheduled tasks)
https://msdn.microsoft.com/en-us/library/windows/desktop/ms679737(v=vs.85).aspx
https://github.com/subTee/OSArchaeology/blob/master/COM/TreatAsPersistence.reg
https://enigma0x3.net/2016/05/25/userland-persistence-with-scheduled-tasks-and-
com-handler-hijacking/
31. Evasion
Windows very often resolves COM objects via the HKCU hive first
Find your favorite script that implements GetObject() or CreateObject() and hijack it.
This allows you to instantiate your own code without exposing it via the command
line.
32. Abusing WSH: VBScript Injection
Leverage an existing, signed VBScript to run our code
39. Malicious Office Add-ins
Outlook, Excel etc.
Rich API for persistence and C2
https://twitter.com/JohnLaTwC/status/836259629277421568
Outlook Rules Added Via COM Object
https://gist.github.com/subTee/e04a93260cc69772322502545c2121c4
https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/
40. Privilege Escalation
The COM Elevation Moniker - Resources
-Execute Process in Another user’s session
-Think Terminal Server or RDP etc…
43. Lateral Movement
- Leveraging DCOM objects with no explicit access or launch permissions set
- Certain objects have interesting methods…
https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-
com-object/
https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/
46. Hopeful outcomes of this talk.
Foster curiosity & further research
Provide references
Call attention to the attack surface and capabilities
47. Closing Thoughts / Conclusions / Thanks
Special Thanks to:
David Mcguire & Jason Frank for their support of this research while we were
working for them.
James Forshaw - For answering our questions and COM research
All of the former ATD members who provided feedback and improvements to our
research!
Notas del editor
Casey
Casey/Matt
Casey
Casey
Casey
Casey
https://cansecwest.com/slides/2015/Smart_COM_Fuzzing_Auditing_IE_Sandbox_Bypass_in_COM_Objects-Xiaoning_li.pdf
https://www.blackhat.com/docs/us-14/materials/us-14-Forshaw-Digging-For_IE11-Sandbox-Escapes.pdf
COM Specification:
http://www.daimi.au.dk/~datpete/COT/COM_SPEC/pdf/com_spec.pdf
Windows COM Dependency/History/Origins
James Forshaw’s talk at Troopers and Infiltrate
Casey
Necessary For GetObject
Casey
AppID, CLSID
Explain HKCR vs hkcu/hklm
Casey
Casey
https://blogs.msdn.microsoft.com/cristib/2012/10/31/how-com-works-how-to-build-a-com-visible-dll-in-c-net-call-it-from-vba-and-select-the-proper-classinterface-autodispatch-autodual-part12/
Be sure to reference script:http for Matt’s malicious demos
Casey
Importance Of GetObject
Casey
Casey
From COM Specification
Casey
Casey
Casey
Casey
Casey
(maybe add arrows)
Casey
Matt
Resolution fails as well
Matt
(reference treatas)
Casey/Matt
Matt
Matt
http://www.nobunkum.ru/analytics/en-com-hijacking
https://blog.gdatasoftware.com/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence
https://attack.mitre.org/wiki/Technique/T1122
Matt
Matt
Matt
Matt
Matt
Source Code of pubprn.vbs
Injectable args(1)
Matt
Matt
Point out why that injection is possible. We can hijack the script at CreateObject - before the rest of the logic!
Matt
Matt
Matt
Matt
Casey
https://msdn.microsoft.com/en-us/library/ms679687.aspx - COM Elevation Moniker
https://bugs.chromium.org/p/project-zero/issues/detail?id=1021&can=1&q=&sort=-id%20-%20P0%20EoP
Reference Julian n0pe_sleds write up once posted on using this trick to get DA.
http://blog.inspired-sec.com/archive/2017/03/17/COM-Moniker-Privesc.html
Casey
https://bugs.chromium.org/p/project-zero/issues/attachmentText?aid=262285
http://blog.inspired-sec.com/archive/2017/03/17/COM-Moniker-Privesc.html
Windows HelpPane Elevation of Privilege Vulnerability - CVE-2017-0100An elevation of privilege exists in Windows when a DCOM object in Helppane.exe configured to run as the interactive user fails to properly authenticate the client. An attacker who successfully exploited the vulnerability could run arbitrary code in another user's session.To exploit the vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability once another user logged in to the same system via Terminal Services or Fast User Switching.The update addresses the vulnerability by correcting how Helppane.exe authenticates the client.The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list:Vulnerability titleCVE numberPublicly disclosedExploitedWindows HelpPane Elevation of Privilege VulnerabilityCVE-2017-0100NoNo