© All rights reserved. Cyber Struggle 2022
Cyber Struggle
  • Company
    • About Us
    • CS Internals
    • CS Manifesto
    • Open Letter for Ranger Grads
    • Careers
    • Press and Media
    • GDPR Notification
    • Contact Us
  • Products
    • S-46 Platform
  • Certifications
    • Ranger Certification
      • Ranger Certification Details
      • Ranger Testimonials
    • Aegis Certification
      • Aegis Certification
      • Aegis Testimonials
    • Contemprorary Certifications
      • Cyber Struggle Tactical Pistol Operator
  • For Corporates
  • Resources
    • Articles
    • Threat Reports
    • Tools
    • Announcements
  • Community
    • Community Programs
      • Ribbon Program
    • Delta Group
0
Cyber Struggle
Home / Blog / Articles / COM Hijacking for Persistence

COM Hijacking for Persistence

By cyberstruggle inArticles, Delta Group

COM Object?

The Microsoft Component Object Model (COM) is an interface standard that allows the software components to interact and communicate with each other’s code without knowledge of their internal implementation. Microsoft says

COM is a technology that allows objects to interact across process and computer boundaries as easily as within a single process

It uses client/server architecture. COM clients are the programs that use COM objects, and the COM servers are the COM objects themselves. The COM server can be hosted either in a DLL (called an in-process server) or in an EXE (called an out-of-process server).

125692944-845f4efc-5521-4d30-844f-3675063ebf8b

COM objects ,can be created and used by in any languages, was designed to support reusable software components that could be utilized by all programs. Some COM clients examples:

  • VBA -> CreateObject
  • PowerShell -> New-Object -COMObject
  • Python -> pywin32
  • Ruby -> win32ole

COM objects are identified by their globally unique identifiers (GUIDs) known as class identifiers (CLSIDs) and interface identifiers (IIDs) and they are registered in

* HKEY_CURRENT_USER\Software\Classes\<CLSID>  (Per-User)
                                                               ---merged---> HKEY_CLASSES_ROOT\CLSID
* HKEY_LOCAL_MACHINE\Software\Classes\<CLSID> (System-Wide)

registry hives. The merged registry hive HKCR contains the combined information of HKCU and HKLM.

HKCU vs HKLM

  • HKLM contains information related to the computer while HKCU contains information specific to the user.
  • If there is a change in HKLM, it affects every user of that computer but if HKCU has a change, it only affects that user.
  • HKLM requires administrator privileges while it is enough to have regular user privileges for HKCU
  • HKLM is loaded on start-up, HKCU is loaded when the user logged in.

Some important registry sub-keys:

  • InprocServer/InprocServer32 – represents a path to a dynamic link library (DLL) implementation, in-process COM objects
  • LocalServer/LocalServer32 – represents a path to an executable (exe) implementation, in another process
  • TreatAs – Points another CLSID
  • ProgID – human-readable text equivalent
125678711-33e153f5-959f-4089-97c4-3fea22a85f4f
125678859-fec4fbf3-eb02-44a3-9cdd-017dbd6bd18c
125679015-5732e9ca-06da-4c05-8aa3-6e47777bb9e9

Some Use Cases

Malware authors can use malicious VBA macros to run arbitrary commands. Here is an example of the usage of WScript.Shell COM objects in VBA:

Sub WriteRegistry()
    Dim WshShell As Object
    Set Wshshell = CreateObject("WScript.Shell")
    WshShell.Run( "powershell.exe <command>")
End Sub

As another example, an Excel sheet can be embedded in a Word document.

125694358-4b3ad3a9-b39d-4fd0-af3b-76e0b188db89

Also, COM can be used in third-party applications. We can show 7-Zip right-click menu items as an example. Here, the Windows explorer shell is the COM client.

125695586-afbb975a-d0cc-4187-ae0f-fc19cba71558

Abusing COM Objects – COM Hijacking

Before a process can access a COM object, registration is needed first. Via regsvr32.exe, COM object can self-register.

regsvr32.exe /n <dllname>.dll

When registering an object, HKCU key has precedence over HKLM key. This means that keys are read from HKCU before HKLM, and to add keys HKCU no special privileges are required. Thus, COM hijacking can be performed with regular user privileges.

Any object is registered in HKCU hive will be loaded before an object is registered in the HKLM hive.

Exception:
High integrity processes (elevated) load only from HKLM to prevent elevation of privileges.

When the legitimate programs used COM objects, their associated DLLs get loaded into the process address space of the client program. This is where the idea comes into play. If the attacker replaces the registry entry with the malicious DLL, when the hijacked object is used through normal system operation, the adversary’s code will be executed.

In short, a system-wide COM object is replaced by a malicious user-specific object.

COM hijacking technique can be used for persistence, lateral movement, privilege escalation and defense evasion.

To hijack a COM object:

  • First, we need to find hijackable keys and extract them to use.
  • Second, we need to create our payload.
  • Finally, hijack the key.

Let’s see how we can enumerate the keys with Procmon.

How to Find COM Hijacking Opportunity Using Sysinternal Tools

For enumerating possible keys to hijack, we can use Process Monitor from Sysinternals. We can discover COM servers that have missing CLSIDs under the HKCU.

For that let us filter the ProcMon.

126052302-39d07077-2121-48e2-9061-2db369502bea

Do standart user things and ProcMon will capture events and they are orphaned CLSIDs.

126052349-8d8dc406-d1a4-4fdb-aa94-732c17b641f0

This lists consists of possibly hijackable trusted processes. Let’s save it and then we will extract keys to hijack. David Tulis developed a script for that called acCOMplice.

126052541-15b88d76-8f78-4b59-bd43-dd1e8797a604

Finding missing libraries on the system

126052575-28dd3197-7c86-448b-98c7-3a1d7685af04

As a result, Process Monitor can be used to enumerate CLSIDs. When you find a possible CLSID, you can hijack it with one of the techniques.


How It Can Be Used For Persistence

COM hijacking is a stealthy persistence technique. We can find this technique in Mitre ATT&CK framework.

It has multiple techniques like hijacking existent components by CLSID, ProgID, or scheduled tasks etc. Let’s cover some of them.

Hijacking by CLSID

We know that COM components are identified by CLSIDs and HKCU takes precedent. So attackers can enter their own malicious dll here. With this technique, malicious dll will run instead of the real COM component. This impacts only the current user and does not require special privileges. However, this will have a suspicious look because the real component will not be launched and do their functions. To avoid this situation, the combination of malicious payload and instance of the original COM component will work.

Let’s try to get a reverse shell with this technique.

126045835-f8a3bbfe-4d81-4bb0-8f81-6c5fa81ba44c

HKEY_CURRENT_USER\Software\Classes\CLSID > New > Key

126045883-e079efab-5e19-413a-bb65-bab46df2acdc

Then add the same CLSID as a commonly used component and point it to malicious dll.

126045954-e050ed0f-287d-46b9-b207-e2ef6fc2b49d

Now, if the victim tries to load the component that the attacker chose, it launches a reverse shell back to the attacker.

Hijacking by ProgID

An application can use the ProgID when they do not know the CLSID of a component. Similarly, to hijack by ProgID, a false ProgID entry can be added under the HKCU with the malicious CLSID.

126047064-a6b798fe-ea09-42cf-8b96-58feabf853bc

Hijacking by TreatAs

According to Microsoft, TreatAs specifies the CLSID of a class that can emulate the current class. With TreatAs, we can make a reference to a different component.

After creating the malicious CLSID, we need a new CLSID (as the same with the target component) and add the TreatAs key with the CLSID of the malicious class.

If the victim tries to load the target component, again, the malicious payload will run.

126048530-54e5c0c3-8975-47e0-8342-910a2a62dde4

Hijacking Orphaned Keys

Sometimes, there may be nonexistent InprocServer32/InprocServer and LocalServer32/LocalServer key-values. For example, this case can occur when 3rd party software components are uninstalled. In this situation, an attacker can place a malicious payload at abandoned paths, but this is not feasible all the time because most COM servers require Administrator privileges for writing.

Search Order Hijacking

This technique based on registry precedence rules. Like Bohops says in the blog post, “By adding the proper registry keys in the HKCU Registry hive, keys located in HKLM are overridden (and ‘added’ to HKCR) when referencing the target COM object.”

When you load a different dll, it may crash the applications. To avoid that leoloobeek wrote COMProxy. It allows us to run the malicious functionality and at the same same time the original DLL’s functionality. So, it protects applications from breaking.

Scheduled Tasks

Since Scheduled tasks take action from HKCR\CLSID, we can find a possibility to hijack because of the precedence rules.

Like enigma0x3 mentioned in his blog post before, some of the scheduled tasks have “Custom Handler” action. When we look at their XML schema file, we will see an COMHandler under the Actions Context CLSID.

127553855-eca4bec5-c6b7-4549-aa53-e36d3e4b67d1
127553888-a078fd4b-8b75-4d86-954c-64c0e444f2f5

By modifying the Default value of the CLSID’s sub-key with our malicious payload, when the scheduled task run, the malicious payload is executed.


How We Can Detect It?

COM hijacking technique is not an easily detectable technique because it uses trusted system processes.

  • Because of the COM components registry entries, per-user is not frequent, these changes can be considered suspicious.
  • Sysmon can be configured for HKCU\CLSID actions.
  • Watch TreatAs keys
  • Check abandoned keys
  • If there is a registered per-user COM object which has a different dll in machine-wide, it is suspicious.
  • Due to CLSIDs can be called by rundll32.exe -sta {CLSID}, rundll32.exe usage can be monitored

References and More

  • https://attack.mitre.org/techniques/T1546/015/
  • https://docs.microsoft.com/en-us/windows/win32/com/com-objects-and-interfaces
  • https://youtu.be/pH14BvUiTLY
  • https://youtu.be/svFundrBIiQ
  • https://youtu.be/yecohKHoh6g
  • https://youtu.be/3gz1QmiMhss
  • http://www.differencebetween.net/technology/hardware-technology/difference-between-hkey_current_user-and-hkey_local_machine/
  • https://stmxcsr.com/persistence/2020/02/15/com-hijacking.html
  • https://0xpat.github.io/Abusing_COM_Objects/
  • https://www.elastic.co/blog/how-hunt-detecting-persistence-evasion-com
  • https://bohops.com/2018/06/28/abusing-com-registry-structure-clsid-localserver32-inprocserver32/
  • https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
  • https://enigma0x3.net/2016/05/25/userland-persistence-with-scheduled-tasks-and-com-handler-hijacking/
  • http://codetastrophe.com/Larimer-VB2011.pdf
  • https://attackiq.com/2020/03/26/component-object-model-hijacking/
  • https://pentestlab.blog/2020/05/20/persistence-com-hijacking/
  • https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/
  • https://cyberfishnews.com/persistence-com-hijacking-44899.html
  • https://github.com/nccgroup/acCOMplice
comcom hijackingcom objects
32 Posts
cyberstruggle
  • Ratelimit Bypass Tool: Whitepass
    Previous PostRatelimit Bypass Tool: Whitepass

Related Posts

Ratelimit Bypass Tool: Whitepass
Announcements Articles Delta Group

Ratelimit Bypass Tool: Whitepass

Credential Dumping Tool: Chalumeau
Announcements Articles Delta Group

Credential Dumping Tool: Chalumeau

Microsoft SMBv3 Remote Code Execution Vulnerability Overview CVE-2020-0796
Articles Delta Group

Microsoft SMBv3 Remote Code Execution Vulnerability Overview CVE-2020-0796

Microsoft ATA Evasion (Over PTH, Golden Ticket)
Articles Delta Group

Microsoft ATA Evasion (Over PTH, Golden Ticket)

Leave a Reply (Cancel reply)

Your email address will not be published. Required fields are marked *

*
*

four × 3 =

Certifications

About
CS Manifesto
Letter to Ranger Grads
Contact Us

About Company

Cyber Struggle Ranger
Cyber Struggle Aegis
Cyber Struggle TPO

For Corporates

Cyber Range Platform
SOC Maturity Certification
In-House SOC Mngmt
Outsource SOC Mngmt
Head Hunting Partnership

Subscribe to newsletter

cs_logo_son

© 2023 Cyber Struggle

in
F.A.Q
Support Forum
Video Tutorials

Search panel can contain any widgets and shortcodes.

Call us: 0 800 255 22 55
Copy