Introduction Last week, I presented COM Under The Radar: Circumventing Application Control Solutions at BsidesCharm 2019. In the presentation, I briefly discussed COM and highlighted a few techniques for bypassing Windows application control solutions. One of those techniques takes advantage of an issue with catalog hygiene where old code often remains signed in updated versions […]
Introduction Greetings, Everyone! It has been several months since I’ve blogged, so it seems fitting to start the New Year off with a post about two topics that I thoroughly enjoy exploring: Application Control/Application Whitelisting (AWL) and the Component Object Model (COM). As the title suggests, I stumbled upon a technique for bypassing Microsoft Application […]
TL;DR There are several ways that attackers can leverage COM hijacking to influence evasive loading and hidden persistence. A few examples include CLSID (sub)key abandonment referencing, key overriding, and key linking. There are several programs and utilities that can invoke COM registry payloads including Rundll32.exe, Xwizard.exe, Verclsid.exe, Mmc.exe, and the Task Scheduler. In the traditional […]
TL;DR An Office XML (.xml) document can call a remote XSL stylesheet over SMB. If this occurs against an attacker controlled server, the net-NTLM authentication hash (challenge/response) of that user is revealed. Operationally, an attacker could crack this offline or leverage a relay technique for remote command execution (if privileged and on-net). There are possible […]
TL;DR Vendors are notorious for including and/or leaving behind Registry artifacts that could potentially be abused by attackers for lateral movement, evasion, bypass, and persistence. CLSIDs subkeys (LocalServer32 and InprocServer32) can be enumerated to discover abandoned binary references. Interestingly, CLSIDs can be called (‘invoked’) with this command: rundll32.exe -sta {CLSID} Defensive recommendations – clean up […]
TL;DR This post discusses an alternate DCOM lateral movement discovery and payload execution method. The primary gist is to locate DCOM registry key/values that point to the path of a binary on the ‘remote’ machine that does not exist. This example method is likely to work if mobsync.exe is not in \\target\admin$\system32\, which is default […]
[Source: blog.microsoft.com] Introduction Not long ago, I blogged about Vshadow: Abusing the Volume Shadow Service for Evasion, Persistence, and Active Directory Database Extraction. This tool was quite interesting because it was yet another utility to perform volume shadow copy operations, and it had a few other features that could potentially support other offensive use cases. […]
Background Last Wednesday, I had some down time so I decided to hunt around in \System32 to see if I could find anything of potential interest. I located a few DLL files that shared an interesting export function called OpenURL: While looking for a quick win, I wanted to see if anything could be invoked […]
Introduction Two weeks ago, I blogged about several “pass-thru” techniques that leveraged the use of INF files (‘.inf’) to “fetch and execute” remote script component files (‘.sct’). In general, instances of these methods could potentially be abused to bypass application whitelisting (AWL) policies (e.g. Default AppLocker policies), deter host-based security products, and achieve ‘hidden’ persistence. […]
Introduction Over the last few weeks, I researched and tested a few interesting namespaces/methods documented on various Microsoft/MSDN sources that dealt with executing various COM scripts/scriptlets (e.g. VBscript, Jscript, etc.). In particular, I was curious to see if there were potentially new ways to invoke remote scripts (ActiveX Objects) by leveraging some of the great […]
bohops 