Introduction
Nowadays organization’s security members became familiar with most of popular lateral movements techniques, which makes red teaming more difficult, therefor applying the latest techniques of initial access and lateral movements is a crucial for a successful attack, in this paper we will cover some aspects of abusing DCOM objects and several interesting COM objects were discovered by researchers that allow task scheduling, fileless download & execute as well as command execution to conduct lateral movements inside the network, note that the usage of these objects can be used to defeat detection based on process behavior and heuristic signatures.
What is a COM object?
COM objects stands for (Component Object Model) which is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. COM is the foundation technology for Microsoft’s OLE (compound documents), ActiveX (Internet-enabled components), as well as others. [1]
What is the difference between COM and DCOM objects?
As we earlier defined COM objects the main difference is that COM is executed at a local level, at the client’s machine. Where on the other hand DCOM (Distributed Component Object Model) runs at the server end, where you pass instructions to the DCOM object and get it executed over the network. In a simpler language we can call DCOM as (COM via RPC).
Why COM objects?
The advantage of using those COM objects is that from a parent and child process relationship it looks legit because anything executed remotely (i.e. cmd.exe, powershell.exe etc.) will be a child process which is very common in many cases for example a child process of explorer.exe.
How Does DCOM Work?
The Windows Registry contains the DCOM configuration data in 3 identifiers:
- CLSID – The Class Identifier (CLSID) is a Global Unique Identifier (GUID). Windows stores a CLSID for each installed class in a program. When you need to run a class, you need the correct CLSID, so Windows knows where to go and find the program.
- PROGID – The Programmatic Identifier (PROGID) is an optional identifier a programmer can substitute for the more complicated and strict CLSID. PROGIDs are usually easier to read and understand. However there are no restrictions on how many PROGIDs can have the same name, which causes issues on occasion.
- APPID – The Application Identifier (APPID) identifies all of the classes that are part of the same executable and the permissions required to access it. DCOM cannot work if the APPID isn’t correct.
To make a COM object accessible by DCOM, an AppID must be associated with the CLSID of the class and appropriate permissions need to be given to the AppID. A COM object without an associated AppID cannot be directly accessed from a remote machine.
A basic DCOM transaction looks like this:
- The client computer requests the remote computer to create an object by its CLSID or PROGID. If the client passes the APPID, the remote computer looks up the CLSID using the PROGID.
- The remote machine checks the APPID and verifies the client has permissions to create the object.
- DCOMLaunch.exe (if an EXE) or DLLHOST.exe (if a DLL) will create an instance of the class the client computer requested.
- Communication is successful!
- The Client can now access all functions in the class on the remote computer.
Command execution using COM objects
COM object with CLSID {E430E93D-09A9-4DC5-80E3-CBB2FB9AF28E}:
A researcher “Charles Hamilton” form Fireeye discovered that prchauto.dll which is located under (C:\Program Files (x86)\Windows Kits\10\App Certification Kit\prchauto.dll) has a class named ProcessChain exposing a CommandLine property and a Start method.
Start accepts a reference to a Boolean value. Commands can be started as follow:[2]
COM object with CLSID {F5078F35-C551-11D3-89B9-0000F81FE221} (Msxml2.XMLHTTP.3.0):
Exposes an XML HTTP 3.0 feature that can be used to download arbitrary code for execution without writing the payload to the disk and without triggering rules that look for the commonly-used System.Net.WebClient. The XML HTTP 3.0 object is usually used to perform AJAX requests. In this case, data fetched can be directly executed using the Invoke-Expression cmdlet (IEX) which can lead to Fileless Download and Execute. [2]
COM object with CLSID {0F87369F-A4E5-4CFC-BD3E-73E6154572DD}:
This com object implements the Schedule.Service class for operating the Windows Task Scheduler Service. This COM object allows privileged users to schedule a task on a host (including a remote host) without using the schtasks.exe binary or the schtasks.exe at command. [2]
COM object with CLSID {9BA05972-F6A8-11CF-A442-00A0C90A8F39} for ShellWindows:
This method is hosted by an existing explorer.exe process, ShellWindow COM object is using the “Document.Application” property. The recursive COM object method discovery found that you can call the “ShellExecute” method on the object returned by the “Document.Application.Parent” property
COM object with CLSID {C08AFD90-F2A1-11D1-8455-00A0C91F3880} for ShellBrowserWindow:
Just like ShellWindows, this method is hosted by an existing explorer.exe process, ShellBrowserWindow COM object is using the “Document.Application” property and you can call the “ShellExecute” method on the object returned by the “Document.Application.Parent” property
Lateral movements using DCOM
MMC Application Class (MMC20.Application):
Discovered by Matt Nelson back in 2007, This COM object allows you to script components of MMC snap-in operations, however Matt discovered that we can leverage a method named (ExecuteShellCommand) under Document.ActiveView to execute commands over the network.
We can use ExecuteShellCommand method of MMC20.Application to execute command remotely or start a process
EXCEL DDE (Excel.Application):
DDE functionality in Office applications could be used remotely through DCOM first published by Cybereason
The DDEInitiate method exposed by the Excel.Application objects limits the App parameter to eight characters But the Topic has a much more manageable character limit of 1,024, which is imposed by the CreateProcess function, Furthermore, the method appends “.exe” to the App parameter, so “cmd.exe” tries to run “cmd.exe.exe”, which will obviously fail, so we need to remove the extension (.exe) when calling the method, also it will pop up some alert, researcher found that it can be disabled by using DisplayAlerts property.[3]
internetexplorer.Application in iexplorer.exe:
One of the interesting techniques discovered by homjxi0e, you can open internet Explorer browser on remote machines by using navigate methods which you can use it get command execution by browser exploits.
DCOM object with CLSID {9BA05972-F6A8-11CF-A442-00A0C90A8F39} for ShellWindows:
As we showed on command execution section earlier this COM object can also be used remotely by adding remote IP after CLSID.
DCOM object with CLSID {C08AFD90-F2A1-11D1-8455-00A0C91F3880} for ShellBrowserWindow:
Just like ShellWindows this COM object can also be used to execute commands on remote machines.
Passing credentials for non-interactive shell:
DCOM objects runs under current user session which can be a problem if we have a non-interactive shell and we want to run it under higher privileged user. A quick solution is to use RunAs implementation by antonioCoco in C# , which we can integrate it with our chosen DCOM object to pass credentials in non-interactive shell (note this will be a better choice than invoke-command since it uses WinRM)
First we need to encode our chosen DCOM object using base64 i.e.:
Then we can call invoke-RunasCs function using the following command
Detection
– Using these DCOM methods will (likely) require privileged access to the remote machine. Protect privileged domain accounts. Avoid password re-use across local machine accounts.
– Ensure that defense-in-depth controls, host-based security products, and host monitoring are in place to detect/deter suspicious activity. Enable host-based firewalls to prevent RPC/DCOM interaction and instantiation.
– Monitor the file system (and registry) for newly introduced artifacts and changes.
– Monitor for suspicious use of PowerShell within the environment. Enforce Constrained Language Mode wherever/whenever possible (*Note: This may be difficult for privileged accounts).
– Upon DCOM invocation ‘failure’, System Event ID 10010 (Error, DistributedCOM) will be generated on the target machine with reference to the CLSID: [4]
Source:
Stay connected