Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Windows Operating System Archaeology


Published on

Given at BSides Nashville 2017. The modern Windows Operating System carries with it an incredible amount of legacy code. The Component Object Model (COM) has left a lasting impact on Windows. This technology is far from dead as it continues to be the foundation for many aspects of the Windows Operating System. You can find hundreds of COM Classes defined by CLSID (COM Class Identifiers). Do you know what they do? This talk seeks to expose tactics long forgotten by the modern defender. We seek to bring to light artifacts in the Windows OS that can be used for persistence. We will present novel tactics for persistence using only the registry and COM objects.

Published in: Technology
  • Login to see the comments

Windows Operating System Archaeology

  1. 1. Windows Operating System Archaeology Matt Nelson Casey Smith
  2. 2. Who Are We? - Casey Smith (@subTee) - Mandiant Red Team - - Matt Nelson (@enigma0x3) - Operator and Security Researcher at SpecterOps -
  3. 3. Objectives For This Talk Foster curiosity & further research Provide references Call attention to the attack surface and capabilities
  4. 4. What Will We Discuss? COM Overview COM Research Methodology Malicious COM Tactics
  5. 5. COM Overview -Brief Background -Registration -Resolution
  6. 6. COM Architecture and History - in 2 minutes ;-) What are COM components? COM components are cross-language classes backed by: DLL (Dynamic-Link Libraries) OCX (ActiveX controls) TLB (Type Libraries ) EXE (Executables) SCT ( XML files ) Location Transparency Principle
  7. 7. Example - COM Scriptlet XML XML Files - We use these for POC examples Registration Block
  8. 8. COM Object Type Registration To find a component when a program needs it, it is USUALLY registered What Registry keys are related to COM object registration? HKLM + HKCU HKCR
  9. 9. What registry entries are needed to register a COM object? are-needed-to-register-a-com-object/ Also XRef: Minimal COM object registration registration/
  10. 10. COM Object Type Resolution CLSID - GUID - {AAAA1111-0000-0000-0000-0000FEEDACDC} ProgID - String Monikers - “scriptlet:” GetObject - CreateObject Methods rundll32.exe javascript:"..mshtml,RunHTMLApplication ";a=GetObject('scriptlet:');a.Exec();close();
  11. 11. WMI GetObject example
  12. 12. Registry Example
  13. 13. COM Registry Keys Regsvr32.exe Regasm.exe Regsvcs.exe These tools usually handle the registration and registry key population for us.
  14. 14. Example Call To Create/Locate an Object
  15. 15. What does all this mean? COM Artifacts and details can be found in the registry. Usually...
  16. 16. Avoid Registration Process
  17. 17. Sample Objective: Execute .NET code inside Windows Scripting Host Without registering the COM object.
  18. 18. Registration-Free COM Activation Microsoft.Windows.ActCtx Object Attach a Manifest or Download ManifestURL Loads dll without registration.
  19. 19. RegistrationHelper - Bypass via CScript.exe
  20. 20. Example
  21. 21. In Memory Assembly Execution JScript/VBScript This is Amazing! Executes a .NET assembly IN JSCRIPT This dramatically extends capabilities of COM Scriptlets No Dll On Disk. Works for .NET 2 and 3.5 Only
  22. 22. Methodology Examples Using Procmon to trace resolution
  23. 23. Example - There are DOZENS of these
  24. 24. Excavation Tools James Forshaw - OleViewDotNet - Mark Russonovich - ProcMon - us/sysinternals/processmonitor RPCView - API Spy -
  25. 25. Malicious Tactics Overview Persistence COM Hijacking - Evasion Office Add-Ins Privilege Escalation Lateral Movement
  26. 26. Persistence via COM Hijacking Leveraging Per-User COM Objects, we can divert resolution to an object under our control. Registry Only Persistence “TreatAs” hijack COM handler hijacking (scheduled tasks) com-handler-hijacking/
  27. 27. Persistence via COM Hijacking
  28. 28. DEMO Registry Only Persistence
  29. 29. Evasion Windows very often resolves COM objects via the HKCU hive first Find your favorite script that implements GetObject() or CreateObject() and hijack it. This allows you to instantiate your own code without exposing it via the command line.
  30. 30. Abusing WSH: VBScript Injection Leverage an existing, signed VBScript to run our code
  31. 31. C:WindowsSystem32Printing_Admin_Scriptsen-US pubprn.vbs For example: Windows printing script pubprn.vbs calls GetObject on a parameter we control. Can use this to execute a COM scriptlet
  32. 32. Example: Evade Command Line Logging slmgr.vbs instantiates Scripting.Dictionary via CreateObject(). Hijack that object to make it run your code
  33. 33. Source Code of Slmgr.vbs Default System File
  34. 34. Example: Evade Command Line Logging
  35. 35. This is also a clever way to bypass AppLocker ;-) Winrm.vbs
  36. 36. Bypass the AntiMalware Scan Interface (AMSI)
  37. 37. Malicious Office Add-ins Outlook, Excel etc. Rich API for persistence and C2 Outlook Rules Added Via COM Object
  38. 38. Privilege Escalation The COM Elevation Moniker - Resources -Execute Process in Another user’s session -Think Terminal Server or RDP etc…
  39. 39. COM - CVE-2017-0100 - James Forshaw
  40. 40. Domain Admin Elevation @n0pe_sled
  41. 41. Lateral Movement - Leveraging DCOM objects with no explicit access or launch permissions set - Certain objects have interesting methods… com-object/
  42. 42. Conclusions
  43. 43. Hopeful outcomes of this talk. Foster curiosity & further research Provide references Call attention to the attack surface and capabilities
  44. 44. Closing Thoughts / Conclusions / Thanks Special Thanks to: David Mcguire & Jason Frank for their support of this research while we were working for them. James Forshaw - For answering our questions and COM research All of the former ATD members who provided feedback and improvements to our research!