COM/DCOM: Forgotten Knowledge

Transcript

1. COM/DCOM: Forgotten Knowledge Vladislav Burtsev

2. 2 COM/DCOM basics Advanced capabilities Tools & API Attacks: Direct

   COM/DCOM usage Attacks: COM Hijacking Detection Agenda 2

3. History 3 Aimed to solve compatibility and sharing problems Introduced

   in 1990s and related with OLE, ActiveX, DCOM, COM+, MTS, etc COM/DCOM Basics

4. 4 COM/DCOM Basics - Terms COM Interface A set of

   methods with defined binary layout COM Object An instance of a COM Class COM Component (COM Server) PE file with one or more COM Classes DLL Class Class Instance COM Class Implements one or more COM Interfaces

5. 5 COM/DCOM Basics – IN- and OUT-of-process COM Server IN-process

   OUT-OF-process DLL Class Instance 1 Instance 2 Client Process Server Process Proxy to Instance 1 Instance 1 Stub marshal unmarshal

6. 6 COM/DCOM Basics – IUnknown interface IUnknown COM Object HRESULT

   QueryInterface(const IID& riid, void** ppv); ULONG AddRef(); ULONG Release();

7. 7 COM/DCOM Basics – Invocation same host Client Application SCM

   1. Request with CLSID Registry 2. Lookup in registry COM Object Server process 3. Instantiates COM Object 4. Passes pointer to Object 5. Call COM Method (default) %SystemRoot%\System32\RtCOM64.dll

8. 8 COM/DCOM Advanced capabilities – Invocation another host Registry Client

   SCM Proxy RPC SCM COM Object RPC Stub Application

9. 9 COM/DCOM Advanced capabilities – Invocation another host PowerShell Empire

   ShellBrowserWindow ShellWindows MMC20.Application Excel.Application GetTypeFromCLSID GetTypeFromProgID DCOM ServiceStart ShellExecute ExecuteShellCommand RegisterXLL DDEInitiate

10. 10 COM/DCOM Advanced capabilities – Multiple Languages C# C/C++ PowerShell

    VBA Server XML HTTP 6.0 open() send() … New-Object -ComObject Msxml2.ServerXMLHTTP.6.0 [activator]::CreateInstance([type]::GetTypeFromCLSID(…)) Dim myObj As Object Set myObj = CreateObject(“MSXML2.ServerXMLHTTP”) MSXML2.ServerXMLHTTP myObj = new ServerXMLHTTP(); hr = CoCreateInstance(CLSID, NULL, CLSCTX_ALL, IID_Interface, reinterpret_cat<void**>(&iface))

11. 11 COM/DCOM Tools & API – Instance Creation CoInitializeEx() CoCreateInstance()

    Initialize COM for the thread (put it into the apartment of given type) Create an instance of a given class and return a requested interface pointer to the new object. CoGetClassObject() CLSCTX_INPROC_SERVER CLSCTX_LOCAL_SERVER CLSCTX_REMOTE_SERVER Context Trying to get a pointer to IClassFactory interface ClassFactoryObject -> CreateInstance()

12. 12 COM/DCOM Tools & API – Instance Creation CoGetClassObject(rclsid, dwClsContext,

    pServerInfo, riid, ppv) DLL EXE Service 1. Locate CLSID in HKEY_CLASSES_ROOT 2. Load DLL from InprocServer32 key CoLoadLibrary() 3. Call GetProcAddress() for DllGetClassObject() 4. Call DllGetClassObject() 5. Return Class Factory to caller 1. Locate CLSID in a global table that maps CLSID to its associated Class Factory. This map is managed by DCOMLaunch (hosted in svchost.exe) 2. If not found, locate CLSID in HKEY_CLASSES_ROOT 3. Launch executable from LocalServer32 key where Command Line is stored. DCOMLaunch uses CreateProcess() 4. Created process registers itself in the DCOMLaunch table by calling CoRegisterClassObject() 5. Once registered, client receives a proxy object to the class factory 1. Locate CLSID in a global table that maps CLSID to its associated Class Factory. This map is managed by DCOMLaunch (hosted in svchost.exe) 2. If not found, locate CLSID in HKEY_CLASSES_ROOT 3. Launch executable from AppID key where Launch permissions and service name is stored. DCOMLaunch contacts SCM 4. Created process registers itself in the DCOMLaunch table by calling CoRegisterClassObject() 5. Once registered, client receives a proxy object to the class factory

13. 13 COM/DCOM Advanced capabilities – regsvr32.exe LoadLibrary() GetProcAddress() DllRegisterServer()

14. 14 COM/DCOM – AMSI PowerShell Windows Script Host JavaScript VBScript

    Office VBA source: https://learn.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps

15. 15 COM/DCOM – Attacks: Direct COM/DCOM Usage impacket : :

    dcomexec.py PowerShell Empire

16. 16 COM/DCOM – Attacks: Direct COM/DCOM Usage

17. 17 COM/DCOM – Attacks: Direct COM/DCOM Usage process_creation BitsDownload.exe file_event

    C:\Users\script.ps1 Svchost.exe process_creation cmd.exe process_creation whoami.exe file_event C:\Users\info.txt

18. 18 COM/DCOM – Attacks: COM Hijacking HKEY_CLASSES_ROOT File extension associations

    COM class registrations Virtualized registry root for UAC

19. The per-user class registration data in HKCU\SOFTWARE\Classes mapped to %SYSTEMROOT%\AppData\Local\Microsoft\Windows\Usrclass.dat

    19 COM/DCOM – Attacks: COM Hijacking HKEY_CLASSES_ROOT Systemwide class registration data in HKLM\SOFTWARE\Classes = +

20. 20 COM/DCOM – Abandoned COM keys

21. 21 COM/DCOM – Attacks: COM Hijacking - ThreatAs

22. 22 COM/DCOM – Attacks: COM Hijacking - ScriptletURL rundll32.exe –sta

    {GUID}

23. 23 COM/DCOM – Attacks: COM Hijacking - ScriptletURL source: https://github.com/enigma0x3/windows-operating-system-archaeology/blob/master/Evasion/slmgr_COM_hijack.reg

24. 24 COM/DCOM – Attacks: COM Hijacking - EoP source: https://github.com/hfiref0x/UACME

25. 25 COM/DCOM – Detection GetTypeFromCLSID GetTypeFromProgID + ServiceStart ShellExecute ExecuteShellCommand

    RegisterXLL DDEInitiate EventID 4104/AMSI

26. 26 COM/DCOM – Detection title: Component Object Model Hijacking via

    TreatAs description: Detects component object model hijacking via treatas author: Kaspersky status: stable tags: - attack.persistence - attack.privilege_escalation - attack.t1546.015 - attack.defense_evasion - attack.t1112 logsource: category: registry_set product: windows detection: selection: EventType: SetValue TargetObject|endswith: - 'Classes\CLSID\*\TreatAs' - 'Classes\CLSID\*\ScriptletURL' filter: Image|endswith: - 'program files\common files\microsoft shared\clicktorun\updates\*\officeclicktorun.exe' - 'windows\winsxs\amd64_microsoft-windows-servicingstack_*\tiworker.exe' condition: selection and not filter falsepositives: - level: high

27. 27 COM/DCOM – Detection title: Component Object Model Hijacking via

    rundll32.exe description: Detects COM server start via rundll32. It's likely a hijacked COM component. author: Kaspersky status: stable tags: - attack.persistence - attack.privilege_escalation - attack.t1546.015 - attack.t1548.002 - attack.defense_evasion - attack.t1218.011 logsource: category: process_creation product: windows detection: selection1: Image|endswith: '\rundll32.exe' selection2: CommandLine|contains: - '-sta ' - '/sta ' CommandLine|contains|all: - '{' - '}' selection3: CommandLine|contains: '-localserver ' condition: selection1 and (selection2 or selection3) falsepositives: Legitimate soft (rare) level: high

28. Thank you! Vladislav Burtsev Threat Intelligence analyst @vladburch www.linkedin.com/in/vladislav-burtsev