COM/DCOM: Forgotten Knowledge Vladislav Burtsev

2 COM/DCOM basics Advanced capabilities Tools & API Attacks: Direct COM/DCOM usage Attacks: COM Hijacking Detection Agenda 2

History 3 Aimed to solve compatibility and sharing problems Introduced in 1990s and related with OLE, ActiveX, DCOM, COM+, MTS, etc COM/DCOM Basics

4 COM/DCOM Basics - Terms COM Interface A set of methods with defined binary layout COM Object An instance of a COM Class COM Component (COM Server) PE file with one or more COM Classes DLL Class Class Instance COM Class Implements one or more COM Interfaces

5 COM/DCOM Basics – IN- and OUT-of-process COM Server IN-process OUT-OF-process DLL Class Instance 1 Instance 2 Client Process Server Process Proxy to Instance 1 Instance 1 Stub marshal unmarshal

6 COM/DCOM Basics – IUnknown interface IUnknown COM Object HRESULT QueryInterface(const IID& riid, void** ppv); ULONG AddRef(); ULONG Release();

7 COM/DCOM Basics – Invocation same host Client Application SCM 1. Request with CLSID Registry 2. Lookup in registry COM Object Server process 3. Instantiates COM Object 4. Passes pointer to Object 5. Call COM Method (default) %SystemRoot%\System32\RtCOM64.dll

8 COM/DCOM Advanced capabilities – Invocation another host Registry Client SCM Proxy RPC SCM COM Object RPC Stub Application

9 COM/DCOM Advanced capabilities – Invocation another host PowerShell Empire ShellBrowserWindow ShellWindows MMC20.Application Excel.Application GetTypeFromCLSID GetTypeFromProgID DCOM ServiceStart ShellExecute ExecuteShellCommand RegisterXLL DDEInitiate

10 COM/DCOM Advanced capabilities – Multiple Languages C# C/C++ PowerShell VBA Server XML HTTP 6.0 open() send() … New-Object -ComObject Msxml2.ServerXMLHTTP.6.0 [activator]::CreateInstance([type]::GetTypeFromCLSID(…)) Dim myObj As Object Set myObj = CreateObject(“MSXML2.ServerXMLHTTP”) MSXML2.ServerXMLHTTP myObj = new ServerXMLHTTP(); hr = CoCreateInstance(CLSID, NULL, CLSCTX_ALL, IID_Interface, reinterpret_cat(&iface))

11 COM/DCOM Tools & API – Instance Creation CoInitializeEx() CoCreateInstance() Initialize COM for the thread (put it into the apartment of given type) Create an instance of a given class and return a requested interface pointer to the new object. CoGetClassObject() CLSCTX_INPROC_SERVER CLSCTX_LOCAL_SERVER CLSCTX_REMOTE_SERVER Context Trying to get a pointer to IClassFactory interface ClassFactoryObject -> CreateInstance()

12 COM/DCOM Tools & API – Instance Creation CoGetClassObject(rclsid, dwClsContext, pServerInfo, riid, ppv) DLL EXE Service 1. Locate CLSID in HKEY_CLASSES_ROOT 2. Load DLL from InprocServer32 key CoLoadLibrary() 3. Call GetProcAddress() for DllGetClassObject() 4. Call DllGetClassObject() 5. Return Class Factory to caller 1. Locate CLSID in a global table that maps CLSID to its associated Class Factory. This map is managed by DCOMLaunch (hosted in svchost.exe) 2. If not found, locate CLSID in HKEY_CLASSES_ROOT 3. Launch executable from LocalServer32 key where Command Line is stored. DCOMLaunch uses CreateProcess() 4. Created process registers itself in the DCOMLaunch table by calling CoRegisterClassObject() 5. Once registered, client receives a proxy object to the class factory 1. Locate CLSID in a global table that maps CLSID to its associated Class Factory. This map is managed by DCOMLaunch (hosted in svchost.exe) 2. If not found, locate CLSID in HKEY_CLASSES_ROOT 3. Launch executable from AppID key where Launch permissions and service name is stored. DCOMLaunch contacts SCM 4. Created process registers itself in the DCOMLaunch table by calling CoRegisterClassObject() 5. Once registered, client receives a proxy object to the class factory

13 COM/DCOM Advanced capabilities – regsvr32.exe LoadLibrary() GetProcAddress() DllRegisterServer()

14 COM/DCOM – AMSI PowerShell Windows Script Host JavaScript VBScript Office VBA source: https://learn.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps

15 COM/DCOM – Attacks: Direct COM/DCOM Usage impacket : : dcomexec.py PowerShell Empire

16 COM/DCOM – Attacks: Direct COM/DCOM Usage

17 COM/DCOM – Attacks: Direct COM/DCOM Usage process_creation BitsDownload.exe file_event C:\Users\script.ps1 Svchost.exe process_creation cmd.exe process_creation whoami.exe file_event C:\Users\info.txt

18 COM/DCOM – Attacks: COM Hijacking HKEY_CLASSES_ROOT File extension associations COM class registrations Virtualized registry root for UAC

The per-user class registration data in HKCU\SOFTWARE\Classes mapped to %SYSTEMROOT%\AppData\Local\Microsoft\Windows\Usrclass.dat 19 COM/DCOM – Attacks: COM Hijacking HKEY_CLASSES_ROOT Systemwide class registration data in HKLM\SOFTWARE\Classes = +

20 COM/DCOM – Abandoned COM keys

21 COM/DCOM – Attacks: COM Hijacking - ThreatAs

22 COM/DCOM – Attacks: COM Hijacking - ScriptletURL rundll32.exe –sta {GUID}

23 COM/DCOM – Attacks: COM Hijacking - ScriptletURL source: https://github.com/enigma0x3/windows-operating-system-archaeology/blob/master/Evasion/slmgr_COM_hijack.reg

24 COM/DCOM – Attacks: COM Hijacking - EoP source: https://github.com/hfiref0x/UACME

25 COM/DCOM – Detection GetTypeFromCLSID GetTypeFromProgID + ServiceStart ShellExecute ExecuteShellCommand RegisterXLL DDEInitiate EventID 4104/AMSI

26 COM/DCOM – Detection title: Component Object Model Hijacking via TreatAs description: Detects component object model hijacking via treatas author: Kaspersky status: stable tags: - attack.persistence - attack.privilege_escalation - attack.t1546.015 - attack.defense_evasion - attack.t1112 logsource: category: registry_set product: windows detection: selection: EventType: SetValue TargetObject|endswith: - 'Classes\CLSID\*\TreatAs' - 'Classes\CLSID\*\ScriptletURL' filter: Image|endswith: - 'program files\common files\microsoft shared\clicktorun\updates\*\officeclicktorun.exe' - 'windows\winsxs\amd64_microsoft-windows-servicingstack_*\tiworker.exe' condition: selection and not filter falsepositives: - level: high

27 COM/DCOM – Detection title: Component Object Model Hijacking via rundll32.exe description: Detects COM server start via rundll32. It's likely a hijacked COM component. author: Kaspersky status: stable tags: - attack.persistence - attack.privilege_escalation - attack.t1546.015 - attack.t1548.002 - attack.defense_evasion - attack.t1218.011 logsource: category: process_creation product: windows detection: selection1: Image|endswith: '\rundll32.exe' selection2: CommandLine|contains: - '-sta ' - '/sta ' CommandLine|contains|all: - '{' - '}' selection3: CommandLine|contains: '-localserver ' condition: selection1 and (selection2 or selection3) falsepositives: Legitimate soft (rare) level: high

Thank you! Vladislav Burtsev Threat Intelligence analyst @vladburch www.linkedin.com/in/vladislav-burtsev