LocalServer32 – Meterpreter TreatAs/ProgID
Process Monitor can be configured with the following filters: Identification of COM keys that could be used to conduct COM hijacking is trivial and requires the use of Process Monitor in order to discover COM servers which are missing CLSID’s and doesn’t require elevated privileges (HKCU). HKEY_LOCAL_MACHINE\Software\Classes\CLSID.HKEY_CURRENT_USER\Software\Classes\CLSID.The above sub-keys are under the following registry hives: Depending on how the malicious code will executed various registry sub-keys are used during COM Hijacking. There are multiple methods that execution of code can be achieved but there are several cases which COM has been used in red teaming scenarios for persistence, lateral movement and defense evasion. The only exception affects high integrity processes (elevated) which objects are loaded only from HKLM location to prevent elevation of privileges. Administrator privileges are not required to perform COM Hijacking since classes in the HKCU registry hive are executed prior to the classes in HKLM.
Abuse of COM objects enables red teams to execute arbitrary code on behalf of a trusted process. Microsoft introduced Component Object Model (COM) in Windows 3.11 as a method to implement objects that could be used by different frameworks (ActiveX, COM+, DCOM etc.) and in different Windows environments allowing interoperability, inter-process communication and code reuse.
0 kommentar(er)
