1 00:00:00,000 --> 00:00:10,410 this thing on alright um started well 2 00:00:05,069 --> 00:00:12,929 thank you everyone for calming today I'm 3 00:00:10,410 --> 00:00:15,240 going to talk about calm hijacks a 4 00:00:12,929 --> 00:00:17,310 little bit of background about me my 5 00:00:15,240 --> 00:00:19,410 name is David Thewlis I'm an offensive 6 00:00:17,310 --> 00:00:22,020 security practitioner and researcher I 7 00:00:19,410 --> 00:00:24,740 currently work for NCC group I leave red 8 00:00:22,020 --> 00:00:26,939 teams I do windows and ad pentesting 9 00:00:24,740 --> 00:00:31,439 social engineering physical security 10 00:00:26,939 --> 00:00:33,390 tests this is a picture I had absolutely 11 00:00:31,439 --> 00:00:35,130 no business being and you know what they 12 00:00:33,390 --> 00:00:36,660 say about being able to get anywhere you 13 00:00:35,130 --> 00:00:40,290 want if you're wearing reflective vests 14 00:00:36,660 --> 00:00:42,120 that is completely drew so what am I 15 00:00:40,290 --> 00:00:45,230 going to talk about today I'm gonna 16 00:00:42,120 --> 00:00:47,940 start by going over the basics of calm 17 00:00:45,230 --> 00:00:49,860 understanding why it exists and how it 18 00:00:47,940 --> 00:00:52,559 works I'll talk about the vulnerability 19 00:00:49,860 --> 00:00:54,600 and the calm activation process how to 20 00:00:52,559 --> 00:00:56,640 identify hijack events on a system 21 00:00:54,600 --> 00:00:59,219 followed by demonstrations of how an 22 00:00:56,640 --> 00:01:01,469 attacker can hijack objects to have 23 00:00:59,219 --> 00:01:04,170 their code loaded by other processes 24 00:01:01,469 --> 00:01:06,210 I'll talk about some practical usages 25 00:01:04,170 --> 00:01:10,830 and offensive operations and then some 26 00:01:06,210 --> 00:01:13,320 takeaways for red and blue teams so why 27 00:01:10,830 --> 00:01:15,330 the interest in SOCOM is available in 28 00:01:13,320 --> 00:01:19,080 all versions of Windows stating back to 29 00:01:15,330 --> 00:01:21,900 Windows 3.1 abuse of the calm object 30 00:01:19,080 --> 00:01:25,110 birthing process will cause other 31 00:01:21,900 --> 00:01:27,479 processes to load arbitrary libraries of 32 00:01:25,110 --> 00:01:29,759 the attackers choice depending on the 33 00:01:27,479 --> 00:01:32,490 details of how this is done this can be 34 00:01:29,759 --> 00:01:35,100 used for persistence for defense evasion 35 00:01:32,490 --> 00:01:37,199 for lateral movement comm hijacking has 36 00:01:35,100 --> 00:01:39,030 been observed in the wild mostly just 37 00:01:37,200 --> 00:01:41,970 for persistence it's registered on the 38 00:01:39,030 --> 00:01:45,360 miter attack framework as technique 1122 39 00:01:41,970 --> 00:01:47,100 and for how useful and versatile this 40 00:01:45,360 --> 00:01:49,560 technique is I don't think it's talked 41 00:01:47,100 --> 00:01:51,960 about nearly enough as it should be so I 42 00:01:49,560 --> 00:01:54,040 want to show you all how cool comm 43 00:01:51,960 --> 00:01:57,169 hijackers 44 00:01:54,040 --> 00:01:59,600 komm is a very interesting interface for 45 00:01:57,170 --> 00:02:01,280 attackers and unless you have previous 46 00:01:59,600 --> 00:02:04,550 experience in comm development it's 47 00:02:01,280 --> 00:02:06,710 likely just a magical black box SOCOM 48 00:02:04,550 --> 00:02:09,320 stands for the component object model 49 00:02:06,710 --> 00:02:11,239 it's been around since 1992 so this 50 00:02:09,320 --> 00:02:13,640 interface is actually older than me you 51 00:02:11,240 --> 00:02:16,490 can imagine how archaic the interface is 52 00:02:13,640 --> 00:02:18,290 after almost 30 years of age become is 53 00:02:16,490 --> 00:02:20,209 the fundamental framework behind many 54 00:02:18,290 --> 00:02:23,720 other Microsoft technologies including 55 00:02:20,209 --> 00:02:26,390 ActiveX Oh le comm plus the comm and 56 00:02:23,720 --> 00:02:28,609 more you know how in UNIX everything is 57 00:02:26,390 --> 00:02:30,730 a file well in Windows everything is an 58 00:02:28,610 --> 00:02:33,590 object and comm gives developers 59 00:02:30,730 --> 00:02:35,690 language neutral way of implementing 60 00:02:33,590 --> 00:02:38,540 objects that can be called by other 61 00:02:35,690 --> 00:02:40,370 processes this allows programs which are 62 00:02:38,540 --> 00:02:43,040 written by other vendors in other 63 00:02:40,370 --> 00:02:45,770 languages to reuse objects and methods 64 00:02:43,040 --> 00:02:48,170 from common abled libraries without any 65 00:02:45,770 --> 00:02:50,510 knowledge of the internals this 66 00:02:48,170 --> 00:02:52,940 flexibility allows for implementation 67 00:02:50,510 --> 00:02:56,120 internals to change without acquiring 68 00:02:52,940 --> 00:02:58,280 developers to recompile applications to 69 00:02:56,120 --> 00:03:00,120 account for updates in a libraries 70 00:02:58,280 --> 00:03:04,330 binary structure 71 00:03:00,120 --> 00:03:07,360 komm gives us the ability to interact if 72 00:03:04,330 --> 00:03:09,370 you've ever embedded an Excel an excel 73 00:03:07,360 --> 00:03:12,250 sheet in a word doc this is handled by 74 00:03:09,370 --> 00:03:14,200 Microsoft Word activating various Excel 75 00:03:12,250 --> 00:03:16,270 comm objects and then calling their 76 00:03:14,200 --> 00:03:18,339 methods to show you these Excel features 77 00:03:16,270 --> 00:03:22,150 all from within word and there's no 78 00:03:18,340 --> 00:03:24,100 Excel dot exe required tools here's 79 00:03:22,150 --> 00:03:26,320 another example if you've ever created a 80 00:03:24,100 --> 00:03:29,980 malicious VBA macro then you probably 81 00:03:26,320 --> 00:03:32,500 created a W script shell calm object and 82 00:03:29,980 --> 00:03:35,380 use that object to run arbitrary shell 83 00:03:32,500 --> 00:03:37,930 commands from VBA using that objects run 84 00:03:35,380 --> 00:03:40,359 men or maybe if you're familiar with 85 00:03:37,930 --> 00:03:43,330 gems for Shaw's dotnet to jscript 86 00:03:40,360 --> 00:03:45,910 project that magical black box of net in 87 00:03:43,330 --> 00:03:47,950 VBA out that's all done through the 88 00:03:45,910 --> 00:03:51,650 creation of certain calm objects which 89 00:03:47,950 --> 00:03:54,018 expose the dotnet runtime from VBA 90 00:03:51,650 --> 00:03:56,450 why does column need to exist well 91 00:03:54,019 --> 00:03:58,069 windows is full of libraries there used 92 00:03:56,450 --> 00:04:00,140 to pass around objects and functions 93 00:03:58,069 --> 00:04:02,780 between processes and this is all done 94 00:04:00,140 --> 00:04:05,029 through library files so put on your 95 00:04:02,780 --> 00:04:06,830 developer hat tender developer you want 96 00:04:05,030 --> 00:04:09,430 to distribute a library so that other 97 00:04:06,830 --> 00:04:12,409 programs can interact with your program 98 00:04:09,430 --> 00:04:13,579 so you can provide a statically linked 99 00:04:12,409 --> 00:04:15,950 library in Windows 100 00:04:13,579 --> 00:04:17,389 these are dot Lib files this means that 101 00:04:15,950 --> 00:04:20,120 anybody who wants to use your library 102 00:04:17,389 --> 00:04:22,400 must compile their program against your 103 00:04:20,120 --> 00:04:24,770 library any updates you make to your 104 00:04:22,400 --> 00:04:27,080 library then must distribute those 105 00:04:24,770 --> 00:04:29,240 updates to developers who must recompile 106 00:04:27,080 --> 00:04:31,099 against the new version plus you can 107 00:04:29,240 --> 00:04:33,289 have multiple versions of the same 108 00:04:31,100 --> 00:04:35,720 library existing on disk or in memory at 109 00:04:33,289 --> 00:04:38,180 the same time just waste resources this 110 00:04:35,720 --> 00:04:40,430 is not ideal you could provide a 111 00:04:38,180 --> 00:04:44,389 dynamically linked library so now your 112 00:04:40,430 --> 00:04:46,729 new package is a dll file in Windows you 113 00:04:44,389 --> 00:04:48,500 exploit your methods rely on the OS to 114 00:04:46,729 --> 00:04:50,449 dynamically resolve and link methods at 115 00:04:48,500 --> 00:04:52,669 runtime using API calls like load 116 00:04:50,449 --> 00:04:55,370 library or get proc address so now you 117 00:04:52,669 --> 00:04:57,409 only have one DLL in memory but you risk 118 00:04:55,370 --> 00:05:00,500 taking a trip to what's referred to as 119 00:04:57,410 --> 00:05:02,450 DLL hell where software will overwrite 120 00:05:00,500 --> 00:05:05,000 the DLL that other software relies on 121 00:05:02,450 --> 00:05:08,110 breaking that functionality also not 122 00:05:05,000 --> 00:05:10,760 ideal so comm solved all these problems 123 00:05:08,110 --> 00:05:13,099 the core principle of comm is to 124 00:05:10,760 --> 00:05:15,740 separate the library interfaces from the 125 00:05:13,099 --> 00:05:17,570 library implementations developers will 126 00:05:15,740 --> 00:05:20,000 define their interface to become 127 00:05:17,570 --> 00:05:22,610 standard and allow their classes to be 128 00:05:20,000 --> 00:05:24,610 instantiated from other processes and 129 00:05:22,610 --> 00:05:26,870 other languages at any point in time 130 00:05:24,610 --> 00:05:29,539 because applications and libraries need 131 00:05:26,870 --> 00:05:30,830 to be updated and without changing the 132 00:05:29,539 --> 00:05:32,659 underlying structure of the Syriac 133 00:05:30,830 --> 00:05:35,330 procedures so when a binary is made 134 00:05:32,660 --> 00:05:38,240 comma where it all is this standard so a 135 00:05:35,330 --> 00:05:39,889 program can be updated recompiled and 136 00:05:38,240 --> 00:05:42,199 third-party applications can still 137 00:05:39,889 --> 00:05:44,419 instantiate that class access to 138 00:05:42,199 --> 00:05:46,460 necessary functions implementations can 139 00:05:44,419 --> 00:05:48,229 be changed but the life but the 140 00:05:46,460 --> 00:05:50,210 interface has never changed so a 141 00:05:48,229 --> 00:05:51,710 third-party application will always be 142 00:05:50,210 --> 00:05:55,750 able to use that libraries resources 143 00:05:51,710 --> 00:05:58,479 through the never changing interface 144 00:05:55,750 --> 00:06:01,250 comm uses a client-server architecture 145 00:05:58,479 --> 00:06:03,219 the reusable code must be registered as 146 00:06:01,250 --> 00:06:05,270 a comm server this contains the 147 00:06:03,219 --> 00:06:05,980 interfaces and the implementations a 148 00:06:05,270 --> 00:06:08,380 comp 149 00:06:05,980 --> 00:06:10,390 client is whatever code wants to make 150 00:06:08,380 --> 00:06:12,550 use of that object and that functions 151 00:06:10,390 --> 00:06:14,770 the functions implemented by the server 152 00:06:12,550 --> 00:06:16,780 this is done by getting a pointer to the 153 00:06:14,770 --> 00:06:19,479 column servers interfaces and then 154 00:06:16,780 --> 00:06:21,969 calling the methods available servers 155 00:06:19,480 --> 00:06:23,680 can either be hosted in process through 156 00:06:21,970 --> 00:06:26,410 a dll file that's loaded into another 157 00:06:23,680 --> 00:06:27,940 process or an out of process server out 158 00:06:26,410 --> 00:06:30,550 of process servers are required if you 159 00:06:27,940 --> 00:06:33,790 want call a comm object that's available 160 00:06:30,550 --> 00:06:36,160 on another machine comm server 161 00:06:33,790 --> 00:06:38,110 components must be assigned physical 162 00:06:36,160 --> 00:06:40,390 names and logical names so a logical 163 00:06:38,110 --> 00:06:42,040 name like alert stop message box that 164 00:06:40,390 --> 00:06:44,469 might be used by two different programs 165 00:06:42,040 --> 00:06:46,870 so each commenter each comm object is 166 00:06:44,470 --> 00:06:49,300 given a physical name that is global 167 00:06:46,870 --> 00:06:51,250 unique or a gooood there's a lot of 168 00:06:49,300 --> 00:06:54,220 goods and calm but the most important 169 00:06:51,250 --> 00:06:56,110 view it is the the class ID this is the 170 00:06:54,220 --> 00:06:59,080 identifier at the library's actual 171 00:06:56,110 --> 00:07:01,930 implementation comm interfaces also have 172 00:06:59,080 --> 00:07:04,479 IDs but all comm interfaces look the 173 00:07:01,930 --> 00:07:05,920 same their uniform structure allows for 174 00:07:04,480 --> 00:07:08,230 clients you don't know anything about 175 00:07:05,920 --> 00:07:10,690 the interface or the implementations to 176 00:07:08,230 --> 00:07:12,520 query the interface for a list of 177 00:07:10,690 --> 00:07:14,469 pointers which point to the actual 178 00:07:12,520 --> 00:07:16,419 interface is supported with a comm 179 00:07:14,470 --> 00:07:18,340 library there's only three methods 180 00:07:16,420 --> 00:07:19,900 exposed by this interface there's a 181 00:07:18,340 --> 00:07:22,090 query interface that retrieves the 182 00:07:19,900 --> 00:07:24,340 pointers do you do supported interfaces 183 00:07:22,090 --> 00:07:26,409 of the object then there's the ability 184 00:07:24,340 --> 00:07:29,359 to increment or decrement a reference 185 00:07:26,410 --> 00:07:32,640 counter of who is using the object 186 00:07:29,360 --> 00:07:35,910 and compliance really can in any 187 00:07:32,640 --> 00:07:37,320 language compliance or languages that 188 00:07:35,910 --> 00:07:39,750 are not natively supported by Windows 189 00:07:37,320 --> 00:07:41,550 have libraries to help with the creation 190 00:07:39,750 --> 00:07:43,800 and management of objects but at the 191 00:07:41,550 --> 00:07:46,170 windows API level developers will often 192 00:07:43,800 --> 00:07:48,360 use the code create instance API as a 193 00:07:46,170 --> 00:07:50,730 generic function to create a single 194 00:07:48,360 --> 00:07:53,820 instance of an object this function will 195 00:07:50,730 --> 00:07:56,280 call the exported dll class object 196 00:07:53,820 --> 00:07:58,650 function which is exported by all comm 197 00:07:56,280 --> 00:08:02,010 libraries this calls the object 198 00:07:58,650 --> 00:08:04,289 interface interfaces query interface 199 00:08:02,010 --> 00:08:06,030 method this method retrieves the 200 00:08:04,290 --> 00:08:08,010 pointers to the interfaces implemented 201 00:08:06,030 --> 00:08:10,140 in the object and then from there you 202 00:08:08,010 --> 00:08:13,140 can interact the common objects using a 203 00:08:10,140 --> 00:08:15,000 pointer to its interface and if you 204 00:08:13,140 --> 00:08:17,700 don't know the class I DDoS is capable 205 00:08:15,000 --> 00:08:20,250 of resolving the prague ID to class ID 206 00:08:17,700 --> 00:08:23,909 using the class ID from prague ID api 207 00:08:20,250 --> 00:08:25,980 call comm objects must be registered by 208 00:08:23,910 --> 00:08:28,980 the OS this is done using the register 209 00:08:25,980 --> 00:08:30,930 32 binary this will register the dll 210 00:08:28,980 --> 00:08:33,780 with the OS by calling the DLL is 211 00:08:30,930 --> 00:08:36,960 exported dll register server or DLL 212 00:08:33,780 --> 00:08:38,039 unregistered server functions if you 213 00:08:36,960 --> 00:08:39,960 take a look at what this process is 214 00:08:38,039 --> 00:08:41,669 doing to register the comm component 215 00:08:39,960 --> 00:08:44,800 it's creating some register Keys 216 00:08:41,669 --> 00:08:46,329 containing the class ID 217 00:08:44,800 --> 00:08:48,099 take a look in the registry palm 218 00:08:46,329 --> 00:08:51,040 libraries are all registered under the 219 00:08:48,100 --> 00:08:52,989 software classes class ID key under each 220 00:08:51,040 --> 00:08:55,420 class ID there will be various sub keys 221 00:08:52,989 --> 00:08:57,939 which define object behavior this 222 00:08:55,420 --> 00:09:01,540 particular object on the screen is an in 223 00:08:57,939 --> 00:09:05,480 process because in proxy server 32 key 224 00:09:01,540 --> 00:09:09,439 which points to a dll file on disk 225 00:09:05,480 --> 00:09:11,420 so in procs in proxy server 32 or in 226 00:09:09,440 --> 00:09:13,820 proxy server subkeys these are in 227 00:09:11,420 --> 00:09:16,760 process servers the local server sub T 228 00:09:13,820 --> 00:09:19,310 is 4 out of processors the 32 suffix 229 00:09:16,760 --> 00:09:22,040 just in the case that the key is for 32 230 00:09:19,310 --> 00:09:25,430 or 64-bit applications a key with no 231 00:09:22,040 --> 00:09:26,870 suffixes or a 16 bit compatibility so 232 00:09:25,430 --> 00:09:28,310 this is the most important key in the 233 00:09:26,870 --> 00:09:30,500 comm registry structure because this 234 00:09:28,310 --> 00:09:33,770 points to where a comm library is 235 00:09:30,500 --> 00:09:36,050 located on disk comm objects can be 236 00:09:33,770 --> 00:09:37,640 registered on a per user basis these are 237 00:09:36,050 --> 00:09:40,010 registered in the H key current user 238 00:09:37,640 --> 00:09:42,020 registry hive comm objects that are 239 00:09:40,010 --> 00:09:44,090 registered system-wide are registered in 240 00:09:42,020 --> 00:09:46,670 the H key local machine hive in both 241 00:09:44,090 --> 00:09:49,370 cases writing under the software classes 242 00:09:46,670 --> 00:09:51,620 class IV key if you're not familiar with 243 00:09:49,370 --> 00:09:54,140 the H key so our hive H hkey classes 244 00:09:51,620 --> 00:09:56,060 root hi this is a virtual hive it 245 00:09:54,140 --> 00:10:00,140 doesn't actually exist in the same way 246 00:09:56,060 --> 00:10:03,739 that h kc r or XR h k CU and hklm ives 247 00:10:00,140 --> 00:10:07,310 do HK c r is a merged view of the class 248 00:10:03,740 --> 00:10:09,770 IDs from both h k CU & hklm reg 2 times 249 00:10:07,310 --> 00:10:11,239 if a program wants to write two h cases 250 00:10:09,770 --> 00:10:12,290 are this requires privileges because 251 00:10:11,240 --> 00:10:15,020 writes 252 00:10:12,290 --> 00:10:18,349 2 h cases are are mapped to the local 253 00:10:15,020 --> 00:10:19,910 machine registry hub so let's do a 254 00:10:18,350 --> 00:10:22,430 survey of what com objects are 255 00:10:19,910 --> 00:10:24,589 registered on a system my test box for 256 00:10:22,430 --> 00:10:25,189 all of this was just a Windows 10 Pro 257 00:10:24,590 --> 00:10:27,050 box 258 00:10:25,190 --> 00:10:30,260 I installed Chrome I installed office 259 00:10:27,050 --> 00:10:31,760 2016 I wanted this test box to resemble 260 00:10:30,260 --> 00:10:34,310 systems that are often seen in 261 00:10:31,760 --> 00:10:36,560 enterprise environments as seen in these 262 00:10:34,310 --> 00:10:39,739 statistics the majority of comm servers 263 00:10:36,560 --> 00:10:41,329 are in process servers and the majority 264 00:10:39,740 --> 00:10:44,900 of comma objects are registered 265 00:10:41,330 --> 00:10:47,180 system-wide and you can try this at home 266 00:10:44,900 --> 00:10:49,579 if you want so I wrote a PowerShell 267 00:10:47,180 --> 00:10:52,280 script for basic interactions calm and 268 00:10:49,580 --> 00:10:54,560 calm hijacks it'll be uploaded to this 269 00:10:52,280 --> 00:10:56,000 repository within the next week actually 270 00:10:54,560 --> 00:10:57,920 de clean up my code a little bit and 271 00:10:56,000 --> 00:11:00,139 write some documentation 272 00:10:57,920 --> 00:11:02,238 if you want to see any of these objects 273 00:11:00,139 --> 00:11:04,459 in more detail I recommend using the Oh 274 00:11:02,239 --> 00:11:06,739 le vieux net project this is an open 275 00:11:04,459 --> 00:11:08,929 source tool written by James Porsche for 276 00:11:06,739 --> 00:11:12,739 exploring calm objects on a system 277 00:11:08,929 --> 00:11:14,179 highly recommend so if you weren't 278 00:11:12,739 --> 00:11:16,939 paying attention before to all the 279 00:11:14,179 --> 00:11:18,439 boring stuff about calm internals I'm 280 00:11:16,939 --> 00:11:20,660 going to talk about the fun part now so 281 00:11:18,439 --> 00:11:24,349 recall that objects can be registered 282 00:11:20,660 --> 00:11:27,709 either per user or system-wide so per 283 00:11:24,350 --> 00:11:30,109 user objects have precedence any object 284 00:11:27,709 --> 00:11:32,689 is registered in each case you hive will 285 00:11:30,109 --> 00:11:35,689 be loaded before an object is registered 286 00:11:32,689 --> 00:11:38,209 in the hklm hive the exception to this 287 00:11:35,689 --> 00:11:40,579 rule is high integrity processes they 288 00:11:38,209 --> 00:11:42,469 read directly from the hklm pipe because 289 00:11:40,579 --> 00:11:45,138 it would be trivial to escalate your 290 00:11:42,470 --> 00:11:47,959 privileges if high integrity processes 291 00:11:45,139 --> 00:11:49,600 we're reading from the HKC you hive but 292 00:11:47,959 --> 00:11:51,888 if you recall from the previous survey 293 00:11:49,600 --> 00:11:54,160 remember remember that the common 294 00:11:51,889 --> 00:11:56,869 objects were mostly registered 295 00:11:54,160 --> 00:11:58,850 system-wide and although we do need 296 00:11:56,869 --> 00:12:00,919 administrator level privileges to write 297 00:11:58,850 --> 00:12:03,199 to hklm we don't need any of those 298 00:12:00,919 --> 00:12:06,679 privileges to write to HKC you so any 299 00:12:03,199 --> 00:12:08,628 class ID that you write in HK c registry 300 00:12:06,679 --> 00:12:11,299 hive and that class ID you can point to 301 00:12:08,629 --> 00:12:13,549 any comm server that you want that will 302 00:12:11,299 --> 00:12:15,829 be loaded before the legitimate object 303 00:12:13,549 --> 00:12:18,139 is loaded even if the key is duplicated 304 00:12:15,829 --> 00:12:21,498 so when it has values in H cases when 305 00:12:18,139 --> 00:12:24,079 hklm if the client is reading objects 306 00:12:21,499 --> 00:12:26,360 from the HKSAR hive it's only going to 307 00:12:24,079 --> 00:12:28,878 read that object that is present in HK 308 00:12:26,360 --> 00:12:30,919 see you this technique is kind of the 309 00:12:28,879 --> 00:12:32,839 cousin the dll hijacking so instead of 310 00:12:30,919 --> 00:12:35,209 exploiting insecurities in the windows 311 00:12:32,839 --> 00:12:36,799 loader process and how it finds dll's 312 00:12:35,209 --> 00:12:39,498 we're just exploiting the comm 313 00:12:36,799 --> 00:12:42,169 resolution process and how come clients 314 00:12:39,499 --> 00:12:44,889 are attempting to locate the library for 315 00:12:42,169 --> 00:12:44,889 a comm server 316 00:12:45,490 --> 00:12:51,940 so to uncover hijacked monkeys 317 00:12:48,660 --> 00:12:53,769 sysinternals pokémon to test this it's 318 00:12:51,940 --> 00:12:55,990 the same Windows 10 Pro machine there 319 00:12:53,769 --> 00:12:58,750 I've got Chrome I've got office total 16 320 00:12:55,990 --> 00:13:01,480 installed my testing strategy was really 321 00:12:58,750 --> 00:13:02,170 simple for five minutes I launched each 322 00:13:01,480 --> 00:13:05,170 application 323 00:13:02,170 --> 00:13:07,479 I let them run I open files I saved 324 00:13:05,170 --> 00:13:10,000 files you know normal user behavior I 325 00:13:07,480 --> 00:13:11,740 want to find keys that are reliably 326 00:13:10,000 --> 00:13:13,660 triggered through normal use otherwise 327 00:13:11,740 --> 00:13:17,079 it's going to be of limited value to me 328 00:13:13,660 --> 00:13:18,910 as an attacker the filter I used I used 329 00:13:17,079 --> 00:13:20,920 to identify these events so we're 330 00:13:18,910 --> 00:13:24,040 looking for registry keys where the 331 00:13:20,920 --> 00:13:26,500 result was not found we'll further hone 332 00:13:24,040 --> 00:13:27,910 the filter by looking in proxy server 32 333 00:13:26,500 --> 00:13:30,730 keys because that's going to be the 334 00:13:27,910 --> 00:13:33,069 majority of com servers on a machine I'm 335 00:13:30,730 --> 00:13:34,509 also gonna ignore we used to the HP ALM 336 00:13:33,069 --> 00:13:38,469 because that requires administrative 337 00:13:34,509 --> 00:13:40,930 privileges to write to the result in 338 00:13:38,470 --> 00:13:43,269 about five minutes there was over 11,000 339 00:13:40,930 --> 00:13:45,519 attempted registry leads to user land 340 00:13:43,269 --> 00:13:47,529 writable locations in the registry that 341 00:13:45,519 --> 00:13:49,649 means that there's 11,000 events where 342 00:13:47,529 --> 00:13:52,509 that attackers library could have 343 00:13:49,649 --> 00:13:55,269 potentially been loaded into another 344 00:13:52,509 --> 00:13:58,930 process take the results of this 345 00:13:55,269 --> 00:14:01,420 exporter to a CSV for analysis so from 346 00:13:58,930 --> 00:14:03,370 the previous sample capture this command 347 00:14:01,420 --> 00:14:05,560 that I wrote to just parse the CSV and 348 00:14:03,370 --> 00:14:08,529 from the sample that I took there was 349 00:14:05,560 --> 00:14:10,899 about 628 unique class IDs that were 350 00:14:08,529 --> 00:14:13,300 activated across various user processes 351 00:14:10,899 --> 00:14:15,710 that were all launched over the five 352 00:14:13,300 --> 00:14:17,969 minutes of testing 353 00:14:15,710 --> 00:14:20,430 so let's write a proof-of-concept 354 00:14:17,970 --> 00:14:23,070 librarian hijack one of these we found 355 00:14:20,430 --> 00:14:24,810 in the previous slides so remember that 356 00:14:23,070 --> 00:14:26,820 in process con servers they need to be 357 00:14:24,810 --> 00:14:29,219 registered as a deeper they need to be 358 00:14:26,820 --> 00:14:31,410 implemented in a DLL file but the good 359 00:14:29,220 --> 00:14:33,150 news about this that DLL does not need 360 00:14:31,410 --> 00:14:34,860 to implement any comp um shion's I 361 00:14:33,150 --> 00:14:35,850 discussed previously there's no you 362 00:14:34,860 --> 00:14:37,770 don't need to implement any of the 363 00:14:35,850 --> 00:14:39,870 registration functions you don't need to 364 00:14:37,770 --> 00:14:43,290 implement any of the interface querying 365 00:14:39,870 --> 00:14:46,020 functions none of that is required so 366 00:14:43,290 --> 00:14:48,030 DLL files have a DLL main function this 367 00:14:46,020 --> 00:14:50,520 is called whenever a process attempts to 368 00:14:48,030 --> 00:14:52,260 mapper on map a DLL into its process 369 00:14:50,520 --> 00:14:55,079 space it's also called whenever a 370 00:14:52,260 --> 00:14:57,030 process creates or stop to thread but 371 00:14:55,080 --> 00:14:58,830 calm object activations it's going to be 372 00:14:57,030 --> 00:15:01,550 loading libraries so this seems like the 373 00:14:58,830 --> 00:15:03,390 best place to run some type of payload 374 00:15:01,550 --> 00:15:05,670 DLL main is kind of an interesting 375 00:15:03,390 --> 00:15:09,840 function it's not actually exported from 376 00:15:05,670 --> 00:15:12,030 a DLL so there's a PE header which 377 00:15:09,840 --> 00:15:14,670 contains the entry point for the PE file 378 00:15:12,030 --> 00:15:18,569 and in the case of dll's this is just 379 00:15:14,670 --> 00:15:21,390 the DLL main function but the potential 380 00:15:18,570 --> 00:15:23,550 issue with this technique is that the OS 381 00:15:21,390 --> 00:15:25,530 holds a loader lock whatever it's 382 00:15:23,550 --> 00:15:28,770 loading DLL is that lock is held before 383 00:15:25,530 --> 00:15:30,750 DLL main is called the loader lock is 384 00:15:28,770 --> 00:15:32,850 held to ensure that multi-threaded 385 00:15:30,750 --> 00:15:35,250 programs don't deadlock if multiple 386 00:15:32,850 --> 00:15:37,440 threads within a process are attempting 387 00:15:35,250 --> 00:15:38,640 to change the list of modules which have 388 00:15:37,440 --> 00:15:41,070 already been loading missed because 389 00:15:38,640 --> 00:15:43,530 doing this can introduce some dependency 390 00:15:41,070 --> 00:15:46,020 loops inside of Windows extremely 391 00:15:43,530 --> 00:15:48,089 fragile loading process so because of 392 00:15:46,020 --> 00:15:50,579 this it's not really advised to do much 393 00:15:48,090 --> 00:15:53,940 inside of DLL name we're kind of limited 394 00:15:50,580 --> 00:15:56,670 here because anything that could cause a 395 00:15:53,940 --> 00:15:59,040 lock or a hold for an extended period of 396 00:15:56,670 --> 00:16:00,930 time will cause the program to crash we 397 00:15:59,040 --> 00:16:03,300 can't lock anything we can't wait for 398 00:16:00,930 --> 00:16:04,770 any locks you can't wait for a process 399 00:16:03,300 --> 00:16:07,050 to do something you can't wait for a 400 00:16:04,770 --> 00:16:11,340 thread to execute because all of these 401 00:16:07,050 --> 00:16:14,069 actions will cause a deadlock here's an 402 00:16:11,340 --> 00:16:19,230 implementation of DLL main it's nothing 403 00:16:14,070 --> 00:16:21,840 special a library project but what this 404 00:16:19,230 --> 00:16:23,880 reads is that if the DLL is being loaded 405 00:16:21,840 --> 00:16:25,980 into another process signified by the 406 00:16:23,880 --> 00:16:28,600 DLL process attach event 407 00:16:25,980 --> 00:16:31,240 let's do evil stuff 408 00:16:28,600 --> 00:16:34,050 what evil stuff here's a basic and naive 409 00:16:31,240 --> 00:16:36,220 approach let's just spawn any process 410 00:16:34,050 --> 00:16:40,030 all right let's see your proof of 411 00:16:36,220 --> 00:16:43,510 concept so in this POC I'm going to show 412 00:16:40,030 --> 00:16:46,000 first that I have no administrative 413 00:16:43,510 --> 00:16:50,020 rights I'm just a low-level user there's 414 00:16:46,000 --> 00:16:52,660 no tricks up my sleeve here so this is a 415 00:16:50,020 --> 00:16:54,430 gooood for a comm object you'll see 416 00:16:52,660 --> 00:16:56,469 right here and then there's the dll that 417 00:16:54,430 --> 00:16:57,910 is has been dropped to disk all I'm 418 00:16:56,470 --> 00:17:00,340 doing here is just creating a new 419 00:16:57,910 --> 00:17:02,790 registry key with a gooood that exists 420 00:17:00,340 --> 00:17:05,650 in hklm so I've added the register key 421 00:17:02,790 --> 00:17:07,209 once it's done let's just do something 422 00:17:05,650 --> 00:17:09,290 that a user is going to do let's like 423 00:17:07,209 --> 00:17:11,170 click an icon on the desktop 424 00:17:09,290 --> 00:17:13,270 [Music] 425 00:17:11,170 --> 00:17:20,459 so look at the top there to see that in 426 00:17:13,270 --> 00:17:20,459 pokémon as we have a calculator 427 00:17:22,810 --> 00:17:28,610 so spawn and calc is a cool concept I'm 428 00:17:26,720 --> 00:17:30,620 a red teamer I can't always spawning 429 00:17:28,610 --> 00:17:32,990 process it's a B and E D are products 430 00:17:30,620 --> 00:17:34,760 they're very good at catching processed 431 00:17:32,990 --> 00:17:36,680 creations and I probably don't want to 432 00:17:34,760 --> 00:17:39,920 do this in an actual environment I'm 433 00:17:36,680 --> 00:17:41,330 testing so remember in loader lock can't 434 00:17:39,920 --> 00:17:55,030 load any libraries we're going to be 435 00:17:41,330 --> 00:17:57,889 limited we can't load any libraries 436 00:17:55,030 --> 00:17:59,540 what's already loaded into the processes 437 00:17:57,890 --> 00:18:02,030 memory space but we know that 438 00:17:59,540 --> 00:18:04,310 kernel32.dll that's always going to be 439 00:18:02,030 --> 00:18:07,700 loaded and this gives us quite a few 440 00:18:04,310 --> 00:18:10,280 functions we can use say to get a handle 441 00:18:07,700 --> 00:18:12,590 on a process may be allocated chunk of 442 00:18:10,280 --> 00:18:14,510 memory write some shell code to that 443 00:18:12,590 --> 00:18:15,889 memory block and then create a new 444 00:18:14,510 --> 00:18:17,870 thread you know everything that we need 445 00:18:15,890 --> 00:18:21,100 to do for shell code injection into 446 00:18:17,870 --> 00:18:21,100 another process 447 00:18:26,720 --> 00:18:30,830 so in this demo I'm going to show that 448 00:18:28,340 --> 00:18:33,409 from DLL main you can call windows API 449 00:18:30,830 --> 00:18:35,270 functions just required to inject 450 00:18:33,410 --> 00:18:39,590 shellcode into another process and then 451 00:18:35,270 --> 00:18:41,960 how to run so in this demo I'm hijacking 452 00:18:39,590 --> 00:18:45,679 a class ID that I know is called by 453 00:18:41,960 --> 00:18:50,510 chrome dot exe we're adding the registry 454 00:18:45,680 --> 00:18:52,010 key again so just watch the pokémon at 455 00:18:50,510 --> 00:18:56,150 the top you'll see that as it's launched 456 00:18:52,010 --> 00:18:57,500 chrome Chrome has loaded our DLL this 457 00:18:56,150 --> 00:18:59,660 time it's notepad if you look on the 458 00:18:57,500 --> 00:19:01,580 right you'll see in process Explorer 459 00:18:59,660 --> 00:19:03,440 that notepad actually spawned from 460 00:19:01,580 --> 00:19:05,210 Explorer this is just showing that our 461 00:19:03,440 --> 00:19:07,910 shell code even though it was launched 462 00:19:05,210 --> 00:19:12,560 from Chrome it was run inside of Hick's 463 00:19:07,910 --> 00:19:15,850 for memory space so now we're not 464 00:19:12,560 --> 00:19:18,830 spawning any processes some downsides 465 00:19:15,850 --> 00:19:20,540 most importantly injecting shell code 466 00:19:18,830 --> 00:19:22,790 into other processes this is a very 467 00:19:20,540 --> 00:19:24,800 well-known technique to avian edr hell 468 00:19:22,790 --> 00:19:27,290 to even run that proof-of-concept I had 469 00:19:24,800 --> 00:19:28,700 to disable Windows Defender but there 470 00:19:27,290 --> 00:19:30,500 are a lot of other techniques for 471 00:19:28,700 --> 00:19:31,820 process injection that no I didn't 472 00:19:30,500 --> 00:19:34,310 really test that's kind of out of scope 473 00:19:31,820 --> 00:19:35,840 of this talk there's a collection of 474 00:19:34,310 --> 00:19:38,750 different injection techniques on the 475 00:19:35,840 --> 00:19:40,370 evil bits github repository great remote 476 00:19:38,750 --> 00:19:43,430 thread is definitely the most well-known 477 00:19:40,370 --> 00:19:45,020 and well signature technique so just 478 00:19:43,430 --> 00:19:47,720 probably changing this technique to a 479 00:19:45,020 --> 00:19:50,330 more obscure process injection technique 480 00:19:47,720 --> 00:19:54,320 could make this technique usable in this 481 00:19:50,330 --> 00:19:55,850 movie so some of you are probably asking 482 00:19:54,320 --> 00:19:58,700 well why don't I just create a thread 483 00:19:55,850 --> 00:20:02,540 inside and that really would be the best 484 00:19:58,700 --> 00:20:05,150 case we our DLL can continue to live 485 00:20:02,540 --> 00:20:07,340 inside of the compliance process without 486 00:20:05,150 --> 00:20:09,650 creating any new processes without 487 00:20:07,340 --> 00:20:12,020 calling any suspicious api's to inject 488 00:20:09,650 --> 00:20:14,420 shell code in genetic process but 489 00:20:12,020 --> 00:20:16,730 whatever threads we create inside a PLL 490 00:20:14,420 --> 00:20:19,010 main the thread entry point is not going 491 00:20:16,730 --> 00:20:21,560 to be called until the loader lock is 492 00:20:19,010 --> 00:20:25,129 released but there is another function 493 00:20:21,560 --> 00:20:27,110 that we could possibly use here so the 494 00:20:25,130 --> 00:20:30,020 DLL gate class object function 495 00:20:27,110 --> 00:20:31,550 this is exported by all common Abel DLLs 496 00:20:30,020 --> 00:20:33,500 this fetches the class objects 497 00:20:31,550 --> 00:20:35,710 implemented in the library this function 498 00:20:33,500 --> 00:20:37,670 is called whenever a comm object is 499 00:20:35,710 --> 00:20:40,540 activated and there's no loader lock 500 00:20:37,670 --> 00:20:44,320 that's held when this function is called 501 00:20:40,540 --> 00:20:46,270 so we can try to keep our DLL loaded in 502 00:20:44,320 --> 00:20:49,270 memory by not returning you know the 503 00:20:46,270 --> 00:20:51,040 okay sign whenever DLL can unload is 504 00:20:49,270 --> 00:20:52,660 called so this is called pretty 505 00:20:51,040 --> 00:20:54,550 regularly when a process is trying to 506 00:20:52,660 --> 00:20:56,710 free up modules that are needed anymore 507 00:20:54,550 --> 00:20:59,590 but we do have some other problems 508 00:20:56,710 --> 00:21:01,540 outside of this so when you're hijacking 509 00:20:59,590 --> 00:21:03,520 a comm object you're preventing the 510 00:21:01,540 --> 00:21:05,860 process from loading a library that it 511 00:21:03,520 --> 00:21:07,690 needs to function properly so you know 512 00:21:05,860 --> 00:21:09,879 the process goes to the registry to find 513 00:21:07,690 --> 00:21:13,690 its calm server it gets a library it is 514 00:21:09,880 --> 00:21:16,180 not expected the library doesn't have 515 00:21:13,690 --> 00:21:18,430 the exports the name and the path on 516 00:21:16,180 --> 00:21:20,170 what's expected without implementing you 517 00:21:18,430 --> 00:21:22,690 need to calm interfaces it's just not 518 00:21:20,170 --> 00:21:25,300 acting right potentially catastrophic 519 00:21:22,690 --> 00:21:27,250 side effects other than just complete 520 00:21:25,300 --> 00:21:30,250 program crashes you could get random 521 00:21:27,250 --> 00:21:32,560 error messages certain UI elements like 522 00:21:30,250 --> 00:21:34,480 rich or misbehave or does not respond at 523 00:21:32,560 --> 00:21:37,060 all and about reverse engineering to 524 00:21:34,480 --> 00:21:39,960 compliant you can't know for sure what 525 00:21:37,060 --> 00:21:43,360 that behavior of a hijack is going to be 526 00:21:39,960 --> 00:21:45,340 so while some class IDs do cause crashes 527 00:21:43,360 --> 00:21:47,379 in this behavior hijacked there are a 528 00:21:45,340 --> 00:21:50,139 lot of class IDs which really don't care 529 00:21:47,380 --> 00:21:52,900 what the hell happens don't load any DLL 530 00:21:50,140 --> 00:21:55,360 they don't really care a few examples of 531 00:21:52,900 --> 00:21:58,480 such Keys how did I find them so I 532 00:21:55,360 --> 00:22:00,610 created another concept library so we're 533 00:21:58,480 --> 00:22:02,470 creating a thread in DLL main and we're 534 00:22:00,610 --> 00:22:04,959 creating another thread in DLL gate 535 00:22:02,470 --> 00:22:06,490 class object in Maya proof of concept 536 00:22:04,960 --> 00:22:08,230 these threads are just updating a file 537 00:22:06,490 --> 00:22:09,820 with an incrementing number but 538 00:22:08,230 --> 00:22:12,700 obviously you can change this to do 539 00:22:09,820 --> 00:22:14,560 whatever activity you desire as long as 540 00:22:12,700 --> 00:22:15,910 you remember the caveat of running a 541 00:22:14,560 --> 00:22:19,179 function when the loaded lock is held 542 00:22:15,910 --> 00:22:23,380 and that threads and DLL main won't 543 00:22:19,180 --> 00:22:26,070 start until DLL main exits so let's see 544 00:22:23,380 --> 00:22:26,070 what this looks like 545 00:22:26,630 --> 00:22:31,490 so in this demo here I've got six 546 00:22:30,080 --> 00:22:33,500 different class at use I'm gonna hijack 547 00:22:31,490 --> 00:22:35,720 all at the same time just using the 548 00:22:33,500 --> 00:22:38,570 hijack multiple keys command lit that I 549 00:22:35,720 --> 00:22:41,059 wrote in my PowerShell hum hijack 550 00:22:38,570 --> 00:22:44,330 toolkit script but this what this 551 00:22:41,059 --> 00:22:48,230 command is doing on the back end we're 552 00:22:44,330 --> 00:22:51,080 just gonna load a unique DLL for each 553 00:22:48,230 --> 00:22:54,289 class ID hijacked will see this just 554 00:22:51,080 --> 00:22:56,418 because it's each each class ID we're 555 00:22:54,289 --> 00:22:58,970 gonna hijack it said yellow with just in 556 00:22:56,419 --> 00:23:02,210 the name of the class ID just so we can 557 00:22:58,970 --> 00:23:04,490 keep track of who is loading what well 558 00:23:02,210 --> 00:23:06,320 once the keys are hijacked you know 559 00:23:04,490 --> 00:23:08,090 we're gonna launch Explorer and this 560 00:23:06,320 --> 00:23:10,850 time there's no cow there's no notepad 561 00:23:08,090 --> 00:23:12,500 instead when the DLL the dll's are 562 00:23:10,850 --> 00:23:14,928 loaded we're just starting some threads 563 00:23:12,500 --> 00:23:17,360 that are logging to a file that's unique 564 00:23:14,929 --> 00:23:22,070 per class ID and per thread created to 565 00:23:17,360 --> 00:23:24,799 just by observing the size log files 566 00:23:22,070 --> 00:23:27,950 know that the thread is still alive and 567 00:23:24,799 --> 00:23:29,870 running our code it's important to note 568 00:23:27,950 --> 00:23:32,330 here though the DLL gate class object 569 00:23:29,870 --> 00:23:35,449 this can be called potentially several 570 00:23:32,330 --> 00:23:40,399 times within the same the same thread so 571 00:23:35,450 --> 00:23:41,780 in which case you might get a file like 572 00:23:40,400 --> 00:23:44,120 this but you could get a file where 573 00:23:41,780 --> 00:23:46,190 there's you know multiple threads 574 00:23:44,120 --> 00:23:47,658 writing the same file so you know you do 575 00:23:46,190 --> 00:23:50,120 kind of need to make sure that the code 576 00:23:47,659 --> 00:23:52,730 you write is thread state that's 577 00:23:50,120 --> 00:23:56,860 absolutely I really wish you the best of 578 00:23:52,730 --> 00:23:56,860 luck writing thread safe code sucks 579 00:23:58,590 --> 00:24:02,699 there may be some cases where dropping a 580 00:24:00,870 --> 00:24:05,250 dll into the target environment might 581 00:24:02,700 --> 00:24:06,900 not fly so this technique was originally 582 00:24:05,250 --> 00:24:09,330 documented by Casey Smith and Matt 583 00:24:06,900 --> 00:24:11,760 Nelson in their 2017 talk Windows 584 00:24:09,330 --> 00:24:14,939 operating system archaeology so instead 585 00:24:11,760 --> 00:24:17,789 of registering a malicious DLL a comm 586 00:24:14,940 --> 00:24:19,650 hijacking register scratch awl so this 587 00:24:17,789 --> 00:24:22,350 is this is legitimate Microsoft binary 588 00:24:19,650 --> 00:24:24,390 this is already on the system and then 589 00:24:22,350 --> 00:24:27,750 by using the scriptlet URL key you can 590 00:24:24,390 --> 00:24:29,669 associate a window script file to run 591 00:24:27,750 --> 00:24:31,620 when the object is activated and this 592 00:24:29,669 --> 00:24:33,750 can be a file that's on disk but this 593 00:24:31,620 --> 00:24:36,330 can also be a URL to a script like file 594 00:24:33,750 --> 00:24:38,490 and this is really cool because if you 595 00:24:36,330 --> 00:24:41,250 choose to host thats triplet remotely 596 00:24:38,490 --> 00:24:42,750 this this is almost file this like 597 00:24:41,250 --> 00:24:45,350 you're not dropping anything to a file 598 00:24:42,750 --> 00:24:47,730 you're only adding a few reg to subkeys 599 00:24:45,350 --> 00:24:50,039 this is not a common occurrence though I 600 00:24:47,730 --> 00:24:51,779 haven't seen any legitimate uses of the 601 00:24:50,039 --> 00:24:53,520 script what your L key on any systems 602 00:24:51,779 --> 00:24:59,279 where I've looked at though so blue team 603 00:24:53,520 --> 00:25:02,549 tech note let's see a demo of this so 604 00:24:59,279 --> 00:25:05,039 I've got this script file that's that 605 00:25:02,549 --> 00:25:07,320 we're gonna hijack payload is just 606 00:25:05,039 --> 00:25:09,360 creating our favorite W script shell 607 00:25:07,320 --> 00:25:13,350 calm object and using that object to 608 00:25:09,360 --> 00:25:16,020 start out that EHC so we're gonna hijack 609 00:25:13,350 --> 00:25:18,719 that yellow just a local path of the 610 00:25:16,020 --> 00:25:24,950 script file but this could be a URL to a 611 00:25:18,720 --> 00:25:28,020 remote file as you click on explore 612 00:25:24,950 --> 00:25:30,240 there's our calculator so you see that 613 00:25:28,020 --> 00:25:32,399 pokémon is on this screen as well but 614 00:25:30,240 --> 00:25:34,049 sckraab j could already be loaded into 615 00:25:32,399 --> 00:25:36,689 Explorer in which case it won't see that 616 00:25:34,049 --> 00:25:38,309 low damage event but on the top right 617 00:25:36,690 --> 00:25:42,210 let's look at the registry structure 618 00:25:38,309 --> 00:25:43,830 required for his style of hijack so this 619 00:25:42,210 --> 00:25:45,990 is the improv server through to Peter's 620 00:25:43,830 --> 00:25:47,610 point ascribe to a dll that already 621 00:25:45,990 --> 00:25:49,860 exists on the system that's a Microsoft 622 00:25:47,610 --> 00:25:52,139 DLL and then this group of New Relic 623 00:25:49,860 --> 00:25:56,760 each is pointing to the location of our 624 00:25:52,140 --> 00:25:58,950 script little another slightly different 625 00:25:56,760 --> 00:26:01,200 variation on this this hijack technique 626 00:25:58,950 --> 00:26:03,000 is to take advantage of class IDs in the 627 00:26:01,200 --> 00:26:04,890 registry that point to the dll that 628 00:26:03,000 --> 00:26:07,440 doesn't actually exist on disk 629 00:26:04,890 --> 00:26:09,419 this gives attackers the opportunity to 630 00:26:07,440 --> 00:26:12,539 write their DLL to that location and 631 00:26:09,419 --> 00:26:14,759 potentially have it loaded without 632 00:26:12,539 --> 00:26:16,499 any type of Ritchie modifications this 633 00:26:14,759 --> 00:26:19,169 only requires dropping an executable 634 00:26:16,499 --> 00:26:21,209 file to disk now in most cases 635 00:26:19,169 --> 00:26:22,889 especially those processes these 636 00:26:21,209 --> 00:26:25,879 libraries are going to be stored in C 637 00:26:22,889 --> 00:26:29,008 windows system32 that's gonna require 638 00:26:25,879 --> 00:26:30,839 administrator privileges - right - but a 639 00:26:29,009 --> 00:26:33,029 lot of third-party software especially 640 00:26:30,839 --> 00:26:34,320 software where components are removed or 641 00:26:33,029 --> 00:26:37,409 make the software has been uninstalled 642 00:26:34,320 --> 00:26:39,689 may leave behind keys in the registry so 643 00:26:37,409 --> 00:26:41,849 here's an example key that was left 644 00:26:39,690 --> 00:26:44,819 behind by an older version of Chrome and 645 00:26:41,849 --> 00:26:46,859 I guess a disclaimer this folder does 646 00:26:44,819 --> 00:26:49,289 require administrator rights to access 647 00:26:46,859 --> 00:26:50,879 to and there's also no promise that that 648 00:26:49,289 --> 00:26:52,499 class ID is ever going to be activated 649 00:26:50,879 --> 00:26:55,379 especially if it's a component has been 650 00:26:52,499 --> 00:26:56,759 removed from the software but it might 651 00:26:55,379 --> 00:26:58,289 be activated and there's other ways 652 00:26:56,759 --> 00:27:02,129 where we can use this that I will 653 00:26:58,289 --> 00:27:05,190 demonstrate later another alternative 654 00:27:02,129 --> 00:27:07,349 method is by hijacking the prog ID so 655 00:27:05,190 --> 00:27:09,329 remember the prog ID is the friendly 656 00:27:07,349 --> 00:27:12,569 name of an object it's not guaranteed 657 00:27:09,329 --> 00:27:14,999 unique but comm clients can ask the OS 658 00:27:12,569 --> 00:27:17,819 choose all the prog ID to the class ID 659 00:27:14,999 --> 00:27:20,279 and this is done in the registry so prog 660 00:27:17,819 --> 00:27:23,789 IDs are mapped to class IDs in the 661 00:27:20,279 --> 00:27:26,609 software classes so if you just add a 662 00:27:23,789 --> 00:27:29,609 registry key into h k CU software 663 00:27:26,609 --> 00:27:31,739 classes got a prog IE that points to a 664 00:27:29,609 --> 00:27:34,228 class ID that you've added and is 665 00:27:31,739 --> 00:27:36,299 loading or your library 666 00:27:34,229 --> 00:27:38,909 it'll be hijacked the attacker just 667 00:27:36,299 --> 00:27:42,210 needs to create the key have it point to 668 00:27:38,909 --> 00:27:44,919 the dll or executable of your choosing 669 00:27:42,210 --> 00:27:49,270 another alternative is the abuse of 670 00:27:44,919 --> 00:27:52,600 comms treat as emulation so - - he means 671 00:27:49,270 --> 00:27:55,120 that a class can be emulated by another 672 00:27:52,600 --> 00:27:57,789 class so all activational quests and the 673 00:27:55,120 --> 00:28:00,039 original class get forwarded to class ID 674 00:27:57,789 --> 00:28:02,470 specified in the treat as registry key 675 00:28:00,039 --> 00:28:04,950 this just means that if want to do a 676 00:28:02,470 --> 00:28:07,990 hijack we need to create a new class ID 677 00:28:04,950 --> 00:28:10,809 red pointing to whatever comm server 678 00:28:07,990 --> 00:28:13,120 that we want and then we add a treat as 679 00:28:10,809 --> 00:28:14,649 key to the class ID that we want the 680 00:28:13,120 --> 00:28:16,928 hijack and point that to the class that 681 00:28:14,649 --> 00:28:24,610 you created and then whenever that 682 00:28:16,929 --> 00:28:26,669 object exactly so where can we use comm 683 00:28:24,610 --> 00:28:28,178 hijacks in our attack chain as 684 00:28:26,669 --> 00:28:31,179 demonstrated 685 00:28:28,179 --> 00:28:34,120 Kampai decks are exploited by dropping a 686 00:28:31,179 --> 00:28:36,820 dll to disk maybe making some registry 687 00:28:34,120 --> 00:28:38,559 key additions in the HKC you have we 688 00:28:36,820 --> 00:28:41,139 have several different options available 689 00:28:38,559 --> 00:28:43,510 through which Keys we add and what kind 690 00:28:41,140 --> 00:28:45,340 of files we want to drop the disk we 691 00:28:43,510 --> 00:28:48,309 chose class at ease which were often 692 00:28:45,340 --> 00:28:50,590 activated because as an attacker I have 693 00:28:48,309 --> 00:28:53,889 an interest in having my persistent will 694 00:28:50,590 --> 00:28:55,209 run on a machine to cross reduce you 695 00:28:53,890 --> 00:28:57,370 know these hackers code is going to be 696 00:28:55,210 --> 00:28:59,289 called whenever that object is activated 697 00:28:57,370 --> 00:29:01,090 so whatever whatever type of key you 698 00:28:59,289 --> 00:29:03,460 hijack you know whether it's on process 699 00:29:01,090 --> 00:29:06,000 start or maybe it's you know some some 700 00:29:03,460 --> 00:29:08,679 regularly run tasks the library code run 701 00:29:06,000 --> 00:29:11,620 this technique doesn't necessarily 702 00:29:08,679 --> 00:29:14,169 require any process restarts unless of 703 00:29:11,620 --> 00:29:17,168 course the object you're hijacking I was 704 00:29:14,169 --> 00:29:19,120 only triggered on startup this this 705 00:29:17,169 --> 00:29:21,940 technique is also interesting because 706 00:29:19,120 --> 00:29:23,739 Kampai jacks are not detected by these 707 00:29:21,940 --> 00:29:27,580 sysinternals autoruns tool which is a 708 00:29:23,740 --> 00:29:29,500 very popular forensic school so just 709 00:29:27,580 --> 00:29:31,240 last week my friend layer released a 710 00:29:29,500 --> 00:29:32,620 really cool piece of code so if you look 711 00:29:31,240 --> 00:29:35,080 at the signature of DLL gate class 712 00:29:32,620 --> 00:29:38,260 object this contains an argument for the 713 00:29:35,080 --> 00:29:40,000 objects class ID so this information we 714 00:29:38,260 --> 00:29:42,129 can go out to the registry you can find 715 00:29:40,000 --> 00:29:44,799 the location of the legitimate comm 716 00:29:42,130 --> 00:29:47,230 library we can load that library and 717 00:29:44,799 --> 00:29:49,120 then call the libraries exported DLL via 718 00:29:47,230 --> 00:29:52,389 class object function and effectively 719 00:29:49,120 --> 00:29:54,010 proxy become objects through to the 720 00:29:52,389 --> 00:29:55,679 legitimate library this means that we 721 00:29:54,010 --> 00:29:57,540 won't cause any 722 00:29:55,680 --> 00:30:00,150 stem instability as demonstrated 723 00:29:57,540 --> 00:30:02,670 previously when we're hijacking Rob 724 00:30:00,150 --> 00:30:04,440 a variant of this technique used for 725 00:30:02,670 --> 00:30:06,450 persistence this was previously 726 00:30:04,440 --> 00:30:08,430 documented by Matt Nelson of speck drops 727 00:30:06,450 --> 00:30:11,570 but if you look through these scheduled 728 00:30:08,430 --> 00:30:15,330 tasks on a system you may see tasks 729 00:30:11,570 --> 00:30:17,250 custom handler action what is this it's 730 00:30:15,330 --> 00:30:20,040 a calm objector scheduled tasks with a 731 00:30:17,250 --> 00:30:23,400 calm trigger they're right for hijacking 732 00:30:20,040 --> 00:30:25,649 all you have to do is hijack that object 733 00:30:23,400 --> 00:30:28,320 make sure that scheduled task is 734 00:30:25,650 --> 00:30:29,640 scheduled to run and you can run that 735 00:30:28,320 --> 00:30:32,100 without the risk of corrupting the 736 00:30:29,640 --> 00:30:33,720 runtime of another process you're in a 737 00:30:32,100 --> 00:30:38,570 PowerShell script that you can use to 738 00:30:33,720 --> 00:30:38,570 identify these digital tasks on a system 739 00:30:38,720 --> 00:30:44,190 another technique we might be able to 740 00:30:40,800 --> 00:30:47,909 use this for is processing so to evade 741 00:30:44,190 --> 00:30:49,980 like a V or EDR detections an attacker 742 00:30:47,910 --> 00:30:52,350 usually wants to do some type of process 743 00:30:49,980 --> 00:30:54,780 injection to have their malicious code 744 00:30:52,350 --> 00:30:57,449 running in another processes address 745 00:30:54,780 --> 00:30:58,710 case this is a very well known evasion 746 00:30:57,450 --> 00:31:01,410 technique just by using another 747 00:30:58,710 --> 00:31:03,960 processes cover an attacker might be 748 00:31:01,410 --> 00:31:06,450 able to interact with files and track 749 00:31:03,960 --> 00:31:09,420 the network all from the process space 750 00:31:06,450 --> 00:31:12,390 of well-known trusted executables like 751 00:31:09,420 --> 00:31:14,010 explorer dot exe or chrome that is no 752 00:31:12,390 --> 00:31:15,720 because chrome dot exe you know it has 753 00:31:14,010 --> 00:31:17,879 to send network traffic maybe it's just 754 00:31:15,720 --> 00:31:21,710 going to get a pass from EDR for sending 755 00:31:17,880 --> 00:31:24,660 traffic to whoever CT server using the 756 00:31:21,710 --> 00:31:26,880 actual techniques for performing process 757 00:31:24,660 --> 00:31:27,180 injections is really a game of cat and 758 00:31:26,880 --> 00:31:30,540 mouse 759 00:31:27,180 --> 00:31:33,030 so I demonstrated in my second demo we 760 00:31:30,540 --> 00:31:34,770 created a thread and DLL main we 761 00:31:33,030 --> 00:31:37,710 injected some shell code into the 762 00:31:34,770 --> 00:31:40,170 Explorer process using the create memo 763 00:31:37,710 --> 00:31:41,730 thread API that's really just you know 764 00:31:40,170 --> 00:31:44,340 one technique is a lot of other 765 00:31:41,730 --> 00:31:45,900 techniques is a PC injection you can do 766 00:31:44,340 --> 00:31:48,689 process following you can do thread 767 00:31:45,900 --> 00:31:50,490 hijacking there's a lot of documented 768 00:31:48,690 --> 00:31:53,220 techniques for performing process 769 00:31:50,490 --> 00:31:55,860 injections but comm hijacking is not 770 00:31:53,220 --> 00:31:58,350 really considered effective for 771 00:31:55,860 --> 00:32:00,540 performing process migrations and I 772 00:31:58,350 --> 00:32:02,399 don't understand why not because well 773 00:32:00,540 --> 00:32:04,500 tune security products you know weeks 774 00:32:02,400 --> 00:32:06,120 using like machine learning or AI or 775 00:32:04,500 --> 00:32:08,910 blockchain they're gonna know about 776 00:32:06,120 --> 00:32:10,739 these API calls so any program that we 777 00:32:08,910 --> 00:32:13,230 create that's calling these functions to 778 00:32:10,740 --> 00:32:15,090 perform process migrations as 779 00:32:13,230 --> 00:32:17,460 solid chance of being flagged as 780 00:32:15,090 --> 00:32:19,949 suspicious so through registry 781 00:32:17,460 --> 00:32:23,040 modifications only I demonstrated that 782 00:32:19,950 --> 00:32:25,680 we have to have our code loaded into 783 00:32:23,040 --> 00:32:28,320 other processes so just by knowing which 784 00:32:25,680 --> 00:32:31,250 process is called which class IDs we can 785 00:32:28,320 --> 00:32:34,020 hijack a comm object have our object 786 00:32:31,250 --> 00:32:36,210 injected into a more favorable process 787 00:32:34,020 --> 00:32:40,160 and avoid using these suspicious API 788 00:32:36,210 --> 00:32:43,740 calls altogether the only drawback is 789 00:32:40,160 --> 00:32:45,870 some kind of time delay you know until 790 00:32:43,740 --> 00:32:47,700 the comm object is loaded and triggered 791 00:32:45,870 --> 00:32:49,919 we're not going to be able to inject 792 00:32:47,700 --> 00:32:51,270 we're using three remote Grad that 793 00:32:49,920 --> 00:32:55,020 injection is going to be performed 794 00:32:51,270 --> 00:32:57,000 almost instantaneously I really wanted 795 00:32:55,020 --> 00:33:01,740 to show a demo of this technique but the 796 00:32:57,000 --> 00:33:04,760 demo when I have a concept of this 797 00:33:01,740 --> 00:33:07,080 within the next week 798 00:33:04,760 --> 00:33:10,580 sophisticated adversaries they have an 799 00:33:07,080 --> 00:33:13,889 interest in making their activities 800 00:33:10,580 --> 00:33:16,679 using comm hijacking and conjunction 801 00:33:13,890 --> 00:33:19,020 with other techniques an attacker has a 802 00:33:16,680 --> 00:33:21,420 couple of different options or for 803 00:33:19,020 --> 00:33:24,150 misdirection so none of these techniques 804 00:33:21,420 --> 00:33:26,970 that I'm about to talk about they don't 805 00:33:24,150 --> 00:33:30,060 require a comm hijack but when combined 806 00:33:26,970 --> 00:33:32,730 with the common hijack it can augment an 807 00:33:30,060 --> 00:33:34,919 attack chain that could you know bypass 808 00:33:32,730 --> 00:33:37,080 whatever detective controls of present 809 00:33:34,920 --> 00:33:38,160 in the environment are operating in so 810 00:33:37,080 --> 00:33:40,560 first of all application whitelisting 811 00:33:38,160 --> 00:33:42,750 bypasses there's several documented 812 00:33:40,560 --> 00:33:46,169 Microsoft programs which take a class ID 813 00:33:42,750 --> 00:33:48,750 or prog ID as an argument one run dll 32 814 00:33:46,170 --> 00:33:50,370 is the most well known but you know 815 00:33:48,750 --> 00:33:52,680 there's others there's X wizard is the 816 00:33:50,370 --> 00:33:54,689 verified class ID executable and then 817 00:33:52,680 --> 00:33:57,480 see these all take comm objects as 818 00:33:54,690 --> 00:34:00,720 arguments so a great place to use this 819 00:33:57,480 --> 00:34:03,480 as an example would be after hijacking 820 00:34:00,720 --> 00:34:05,280 key so I mentioned it might not an 821 00:34:03,480 --> 00:34:07,880 abandoned key might not regularly be 822 00:34:05,280 --> 00:34:11,340 called by a process so by using these 823 00:34:07,880 --> 00:34:14,040 binaries you could drop a dll to disk 824 00:34:11,340 --> 00:34:16,410 call a Microsoft signed binary on a 825 00:34:14,040 --> 00:34:18,659 class ID that already act already on the 826 00:34:16,409 --> 00:34:20,770 system and then have your code loaded 827 00:34:18,659 --> 00:34:23,230 into another process 828 00:34:20,770 --> 00:34:25,869 another activity this could be used for 829 00:34:23,230 --> 00:34:28,000 his lateral movements this technique was 830 00:34:25,869 --> 00:34:30,460 originally documented by PO hops but if 831 00:34:28,000 --> 00:34:34,210 an attacker has administrative access on 832 00:34:30,460 --> 00:34:36,820 another host they can use the remote 833 00:34:34,210 --> 00:34:38,830 registry to perform the hijack they can 834 00:34:36,820 --> 00:34:40,869 drop their comm server to disk and then 835 00:34:38,830 --> 00:34:42,668 they can either use decom to activate 836 00:34:40,869 --> 00:34:44,109 the object remotely or they could just 837 00:34:42,668 --> 00:34:49,509 wait for the object to be activated 838 00:34:44,109 --> 00:34:52,330 through normal user interaction so what 839 00:34:49,510 --> 00:34:53,940 are all two takeaways for Red Team so I 840 00:34:52,330 --> 00:34:56,619 can't call should be incorporated 841 00:34:53,940 --> 00:34:58,330 multiple stages and their attack has and 842 00:34:56,619 --> 00:35:00,310 because this is not a very popular 843 00:34:58,330 --> 00:35:02,950 technique I think it has a place in 844 00:35:00,310 --> 00:35:05,470 everyone's offensive toolkit I've shown 845 00:35:02,950 --> 00:35:07,839 that comm hijacking as a cool way for 846 00:35:05,470 --> 00:35:10,569 use the land persistence this technique 847 00:35:07,839 --> 00:35:12,520 is not really widely used when compared 848 00:35:10,570 --> 00:35:16,180 to techniques such as registry run keys 849 00:35:12,520 --> 00:35:19,780 scheduled tasks W my subscriptions so it 850 00:35:16,180 --> 00:35:21,990 can put you at an advantage calm 851 00:35:19,780 --> 00:35:25,210 interface abuse also gives attackers a 852 00:35:21,990 --> 00:35:28,810 layer of misdirection by appearing to 853 00:35:25,210 --> 00:35:31,960 use components of other processes this 854 00:35:28,810 --> 00:35:34,779 technique could confuse EDR signatures 855 00:35:31,960 --> 00:35:38,320 or maybe even like a tier one analyst so 856 00:35:34,780 --> 00:35:40,180 there a value initial access is another 857 00:35:38,320 --> 00:35:42,339 area where column hijacks can give use 858 00:35:40,180 --> 00:35:44,250 so since common hijacks are really just 859 00:35:42,339 --> 00:35:47,170 causing the applications to run our code 860 00:35:44,250 --> 00:35:48,550 you know why not why don't we see any 861 00:35:47,170 --> 00:35:50,680 stage zero loaders that are just 862 00:35:48,550 --> 00:35:52,450 dropping a DLL to disk and then 863 00:35:50,680 --> 00:35:55,899 hijacking that object and having the 864 00:35:52,450 --> 00:35:57,368 code run hijacks also have the potential 865 00:35:55,900 --> 00:36:00,160 to be used for migrating into other 866 00:35:57,369 --> 00:36:02,170 processes to evade detection or to get 867 00:36:00,160 --> 00:36:04,839 access to that processes memory space 868 00:36:02,170 --> 00:36:07,240 without using suspicious API calls like 869 00:36:04,839 --> 00:36:10,450 your MOU thread which is well known to 870 00:36:07,240 --> 00:36:13,750 defenders certain processes like edge or 871 00:36:10,450 --> 00:36:15,460 in an infant Internet Explorer on newer 872 00:36:13,750 --> 00:36:18,580 versions of Windows systems is use 873 00:36:15,460 --> 00:36:20,560 Microsoft code integrity guard this is 874 00:36:18,580 --> 00:36:22,740 preventing unsigned dll's from being 875 00:36:20,560 --> 00:36:25,540 loaded as the process at a kernel level 876 00:36:22,740 --> 00:36:28,209 but these are not the only processes 877 00:36:25,540 --> 00:36:30,070 where developers don't want you loading 878 00:36:28,210 --> 00:36:31,830 additional libraries in their processes 879 00:36:30,070 --> 00:36:33,869 hardened applique 880 00:36:31,830 --> 00:36:36,720 browsers or maybe like anti-cheat 881 00:36:33,869 --> 00:36:38,490 engines they're actively preventing deal 882 00:36:36,720 --> 00:36:40,589 all injections they don't want unsigned 883 00:36:38,490 --> 00:36:42,660 or untrusted code loaded and they're 884 00:36:40,590 --> 00:36:44,580 going to accomplish this through hooking 885 00:36:42,660 --> 00:36:46,950 of different API calls like create 886 00:36:44,580 --> 00:36:49,110 remote thread or load library to prevent 887 00:36:46,950 --> 00:36:51,060 these functions from being used to 888 00:36:49,110 --> 00:36:53,310 launch code that isn't explicitly 889 00:36:51,060 --> 00:36:55,619 whitelisted by the developer but with 890 00:36:53,310 --> 00:36:58,680 comm hijacking it could still be 891 00:36:55,619 --> 00:37:01,920 possible to bypass these negations and 892 00:36:58,680 --> 00:37:03,868 load a dll into a hardened process 893 00:37:01,920 --> 00:37:10,860 without any of the traditional 894 00:37:03,869 --> 00:37:12,690 techniques what are the takeaways so 895 00:37:10,860 --> 00:37:15,030 what I just said 896 00:37:12,690 --> 00:37:16,680 you know if people are in comm in your 897 00:37:15,030 --> 00:37:19,590 environment like if you're not watching 898 00:37:16,680 --> 00:37:22,200 for rich de editions under HK Cu 899 00:37:19,590 --> 00:37:24,900 software classes class IDs you should be 900 00:37:22,200 --> 00:37:27,990 these registry Keys should be treated 901 00:37:24,900 --> 00:37:30,630 with much as closely watched as you 902 00:37:27,990 --> 00:37:34,109 watch run keys or schedule tasks 903 00:37:30,630 --> 00:37:37,530 additions hkcee class IDs aren't common 904 00:37:34,110 --> 00:37:39,359 as seen in the survey I conducted so the 905 00:37:37,530 --> 00:37:42,150 pulse positives here should be pretty 906 00:37:39,359 --> 00:37:44,009 low in proximity to key additions are 907 00:37:42,150 --> 00:37:46,380 already monitored by Swift bound 908 00:37:44,010 --> 00:37:48,090 security system on config you should 909 00:37:46,380 --> 00:37:50,280 also pay special attention to script at 910 00:37:48,090 --> 00:37:52,290 URL at treat as keys because these keys 911 00:37:50,280 --> 00:37:55,350 can also be used to load malicious 912 00:37:52,290 --> 00:37:57,390 objects if an attacker already has 913 00:37:55,350 --> 00:38:00,359 administrative access on a machine they 914 00:37:57,390 --> 00:38:03,118 do have the option any of the techniques 915 00:38:00,359 --> 00:38:04,500 I've talked about but on the hklm hive 916 00:38:03,119 --> 00:38:07,080 you know they can overwrite a key 917 00:38:04,500 --> 00:38:09,390 location with a dll they can hijack prog 918 00:38:07,080 --> 00:38:12,150 ID resolution that can try to emulate a 919 00:38:09,390 --> 00:38:14,279 class with treat as but hklm is owned by 920 00:38:12,150 --> 00:38:16,350 trusted installer so an attacker does 921 00:38:14,280 --> 00:38:18,570 want to go this route of prom abuse as 922 00:38:16,350 --> 00:38:20,160 an administrator they'll be required to 923 00:38:18,570 --> 00:38:23,640 change the registry key permissions 924 00:38:20,160 --> 00:38:25,950 before conducting the hijack Blue team 925 00:38:23,640 --> 00:38:28,670 members should also be checking systems 926 00:38:25,950 --> 00:38:31,680 and golden images for abandoned keys so 927 00:38:28,670 --> 00:38:32,880 exploiting these abandoned keys doesn't 928 00:38:31,680 --> 00:38:35,520 require any kind of bridge view 929 00:38:32,880 --> 00:38:38,130 modifications so if you're only watching 930 00:38:35,520 --> 00:38:40,530 for registry rights and HKC you you 931 00:38:38,130 --> 00:38:43,019 could miss an attacker exploiting an 932 00:38:40,530 --> 00:38:45,670 abandoned class idea 933 00:38:43,019 --> 00:38:47,200 if you're developing security sensitive 934 00:38:45,670 --> 00:38:49,900 applications or maybe if you're 935 00:38:47,200 --> 00:38:50,759 reviewing an application the rugs in 936 00:38:49,900 --> 00:38:54,339 userspace 937 00:38:50,759 --> 00:38:56,589 don't rely on the OS or the registers 938 00:38:54,339 --> 00:38:58,538 locate comm objects don't use Poe create 939 00:38:56,589 --> 00:39:00,400 instance instead you should try to 940 00:38:58,539 --> 00:39:02,019 identify the location of the library on 941 00:39:00,400 --> 00:39:04,150 disk manually you know check the 942 00:39:02,019 --> 00:39:05,529 registry check the files is to make sure 943 00:39:04,150 --> 00:39:08,259 that this is a library that you're 944 00:39:05,529 --> 00:39:10,779 expecting to load then you can call load 945 00:39:08,259 --> 00:39:13,599 library and directly call the DLL gate 946 00:39:10,779 --> 00:39:16,289 class object on the DLL still use all 947 00:39:13,599 --> 00:39:19,420 become features without relying on 948 00:39:16,289 --> 00:39:22,509 lookup procedure and this only applies 949 00:39:19,420 --> 00:39:24,009 to user land processes is elevated 950 00:39:22,509 --> 00:39:24,910 processes they're going to read directly 951 00:39:24,009 --> 00:39:26,799 from hklm 952 00:39:24,910 --> 00:39:30,069 which makes this type of abuse and 953 00:39:26,799 --> 00:39:31,509 positive and if you were removing an 954 00:39:30,069 --> 00:39:33,759 application component and where if your 955 00:39:31,509 --> 00:39:35,170 application has been uninstalled please 956 00:39:33,759 --> 00:39:37,089 clean up the registry you don't leave 957 00:39:35,170 --> 00:39:40,890 dangling references to dll that don't 958 00:39:37,089 --> 00:39:40,890 exist on the system that an attacker 959 00:39:41,579 --> 00:39:46,319 I think there's a lot more that's 960 00:39:43,649 --> 00:39:48,328 possible calm abuse that I didn't have 961 00:39:46,319 --> 00:39:49,799 time to talk about today so I didn't 962 00:39:48,329 --> 00:39:52,349 really talk about hijacking how to 963 00:39:49,799 --> 00:39:54,419 process calm servers you know there 964 00:39:52,349 --> 00:39:56,939 could be other rich dukey's that are 965 00:39:54,419 --> 00:40:01,558 usable in the same way that you know 966 00:39:56,939 --> 00:40:03,509 prog ID or treat as is Freda is another 967 00:40:01,559 --> 00:40:05,969 really cool project so this is used for 968 00:40:03,509 --> 00:40:07,949 reverse engineering and debugging I 969 00:40:05,969 --> 00:40:09,779 think it can be used to get a better 970 00:40:07,949 --> 00:40:12,899 understanding of calm client behavior 971 00:40:09,779 --> 00:40:14,849 when it's activating calm object you 972 00:40:12,899 --> 00:40:17,098 know what kind of specific user actions 973 00:40:14,849 --> 00:40:21,209 will trigger loading a particular class 974 00:40:17,099 --> 00:40:23,099 ID comma jacking also gives the attacker 975 00:40:21,209 --> 00:40:25,140 the ability to hook calls between 976 00:40:23,099 --> 00:40:27,689 applications reader modify their 977 00:40:25,140 --> 00:40:29,489 contents access since the data change 978 00:40:27,689 --> 00:40:32,519 application behavior this could be very 979 00:40:29,489 --> 00:40:34,349 interesting to an attacker there's also 980 00:40:32,519 --> 00:40:37,019 been some documented hijacks that give 981 00:40:34,349 --> 00:40:39,119 bonus effects when hijacks a few 982 00:40:37,019 --> 00:40:41,189 examples of this so Matt Nelson was able 983 00:40:39,119 --> 00:40:44,219 to disable the Microsoft anti-malware 984 00:40:41,189 --> 00:40:46,379 scanning interface this just gives a V 985 00:40:44,219 --> 00:40:49,139 programs visibility into script 986 00:40:46,380 --> 00:40:50,819 executions but he was able to do this he 987 00:40:49,139 --> 00:40:52,769 was able to prevent the am GPL all from 988 00:40:50,819 --> 00:40:53,788 being loaded through a comm hijack 989 00:40:52,769 --> 00:40:55,919 that's really cool 990 00:40:53,789 --> 00:40:59,219 James Porsche I was also able to 991 00:40:55,919 --> 00:41:01,578 demonstrate a comp hijack which was part 992 00:40:59,219 --> 00:41:05,219 of a larger attack code that was able to 993 00:41:01,579 --> 00:41:08,309 execute code inside of ring 0 inside of 994 00:41:05,219 --> 00:41:11,069 a VirtualBox kernel driver which a comm 995 00:41:08,309 --> 00:41:12,809 hijack assisted with so I'm sure there's 996 00:41:11,069 --> 00:41:14,969 other keys out there that Lyn hijacked 997 00:41:12,809 --> 00:41:17,009 could uh you know maybe prevent some 998 00:41:14,969 --> 00:41:21,209 type of EDR solution from access and a 999 00:41:17,009 --> 00:41:23,930 DLL it needs dude there's a lot of that 1000 00:41:21,209 --> 00:41:25,879 I didn't have time to look at 1001 00:41:23,930 --> 00:41:28,660 so what am I going to be releasing on 1002 00:41:25,880 --> 00:41:32,270 github so I have a PowerShell script 1003 00:41:28,660 --> 00:41:34,279 basic surveys systems parsing data 1004 00:41:32,270 --> 00:41:37,009 related to comp I Jack and performing 1005 00:41:34,279 --> 00:41:38,990 hijacks I'll also releasing all the 1006 00:41:37,010 --> 00:41:40,579 concept details that I wrote this 1007 00:41:38,990 --> 00:41:42,470 presentation there's two approved 1008 00:41:40,579 --> 00:41:44,720 concepts that run a payload inside deal 1009 00:41:42,470 --> 00:41:47,720 I'll main I'll release the DLL which 1010 00:41:44,720 --> 00:41:50,180 measures thread lifetimes after the 1011 00:41:47,720 --> 00:41:52,160 library has been loaded all release of 1012 00:41:50,180 --> 00:41:55,609 proof of concepts or performing process 1013 00:41:52,160 --> 00:41:57,500 migrations only using comm hijacks I 1014 00:41:55,609 --> 00:41:59,000 expect to have this up within the next 1015 00:41:57,500 --> 00:42:04,279 week I just need a little bit more time 1016 00:41:59,000 --> 00:42:05,720 to clean up and document I really stand 1017 00:42:04,279 --> 00:42:06,890 on the shoulders of giants here my 1018 00:42:05,720 --> 00:42:08,750 presentations are not have been possible 1019 00:42:06,890 --> 00:42:10,848 without the help of some of my friends 1020 00:42:08,750 --> 00:42:12,980 without the support of fantasy group 1021 00:42:10,849 --> 00:42:14,569 research directors and other researchers 1022 00:42:12,980 --> 00:42:16,760 who have published their findings on 1023 00:42:14,569 --> 00:42:21,079 Comm abuse so thank you to all these 1024 00:42:16,760 --> 00:42:25,359 people on this slide does anyone have 1025 00:42:21,079 --> 00:42:25,359 any questions are there 1026 00:42:36,930 --> 00:42:40,140 [Music] 1027 00:42:42,870 --> 00:42:46,089 [Music] 1028 00:42:46,280 --> 00:42:51,610 so that is definitely possible the 1029 00:42:48,890 --> 00:42:55,160 reason I didn't really go that route 1030 00:42:51,610 --> 00:42:57,290 every dll you want to hijack and that 1031 00:42:55,160 --> 00:43:00,230 would be a lot of work so I think the 1032 00:42:57,290 --> 00:43:04,250 kind of proxying technique that I showed 1033 00:43:00,230 --> 00:43:06,350 in neo Lumix like calm proxy project is 1034 00:43:04,250 --> 00:43:08,980 come the most effective and efficient 1035 00:43:06,350 --> 00:43:08,980 way of doing that 1036 00:43:09,560 --> 00:43:15,560 any other questions 1037 00:43:12,560 --> 00:43:15,560 yeah 1038 00:43:18,700 --> 00:43:23,970 can you speak up I can't hear you you 1039 00:43:21,340 --> 00:43:23,970 speak up okay 1040 00:43:30,540 --> 00:43:37,759 [Music] 1041 00:43:41,910 --> 00:43:46,308 [Applause] 1042 00:43:43,110 --> 00:43:46,309 [Music] 1043 00:43:49,420 --> 00:43:53,890 so I mean the powerful script is more 1044 00:43:51,640 --> 00:43:57,430 for just kind of research I really not 1045 00:43:53,890 --> 00:43:59,470 expecting this PowerShell script you 1046 00:43:57,430 --> 00:44:01,330 know inside of some environment because 1047 00:43:59,470 --> 00:44:03,129 I mean PowerShell is pretty suspicious 1048 00:44:01,330 --> 00:44:05,290 these days so this is the PowerShell 1049 00:44:03,130 --> 00:44:08,470 script is more for just on your own test 1050 00:44:05,290 --> 00:44:11,350 system identifying these hijack events 1051 00:44:08,470 --> 00:44:13,000 than using that on a different system 1052 00:44:11,350 --> 00:44:14,350 which you might have a little less 1053 00:44:13,000 --> 00:44:16,410 control over does that answer your 1054 00:44:14,350 --> 00:44:16,410 question 1055 00:44:28,480 --> 00:44:32,700 [Music] 1056 00:44:29,970 --> 00:44:34,740 I mean so there's not really there's no 1057 00:44:32,700 --> 00:44:37,799 way to block this prevent this from 1058 00:44:34,740 --> 00:44:39,779 happening and I other than like the sis 1059 00:44:37,799 --> 00:44:41,880 Mon config that monitors the in proxy 1060 00:44:39,780 --> 00:44:44,730 over 32 key editions 1061 00:44:41,880 --> 00:44:48,329 I don't I don't know if anyone's like 1062 00:44:44,730 --> 00:44:51,680 really scrutinizing that that sub key to 1063 00:44:48,329 --> 00:44:51,680 watch for these hijack events 1064 00:44:56,450 --> 00:44:59,689 [Music] 1065 00:45:04,950 --> 00:45:09,480 so I think endgame had a blog post about 1066 00:45:07,860 --> 00:45:11,130 calm hijacks where they were like oh 1067 00:45:09,480 --> 00:45:13,830 yeah will detect this but I mean I 1068 00:45:11,130 --> 00:45:16,080 haven't been able to test you know 1069 00:45:13,830 --> 00:45:17,990 endgame product other than that I don't 1070 00:45:16,080 --> 00:45:20,040 know of any other products that are 1071 00:45:17,990 --> 00:45:21,879 explicitly detecting this kind of 1072 00:45:20,040 --> 00:45:24,440 activity 1073 00:45:21,880 --> 00:45:26,090 [Music] 1074 00:45:24,440 --> 00:45:29,340 yes 1075 00:45:26,090 --> 00:45:29,340 [Music] 1076 00:45:30,780 --> 00:45:41,130 um I mean not being able to drop like a 1077 00:45:38,940 --> 00:45:42,390 DLL to disk using like the script of URL 1078 00:45:41,130 --> 00:45:44,250 hijack 1079 00:45:42,390 --> 00:45:46,529 I mean that could work like I said 1080 00:45:44,250 --> 00:45:48,480 scriptlet URL is not common occurrence 1081 00:45:46,530 --> 00:45:50,010 and I think newer versions of Windows 1082 00:45:48,480 --> 00:45:52,890 have like the Windows Defender 1083 00:45:50,010 --> 00:45:55,230 it's like WD I see I can't remember what 1084 00:45:52,890 --> 00:45:59,250 it stands for but it it prevents the 1085 00:45:55,230 --> 00:46:04,080 sckraab J DLL from the loading untrusted 1086 00:45:59,250 --> 00:46:06,530 scriptlet files it depends I can't 1087 00:46:04,080 --> 00:46:06,529 really answer that question 1088 00:46:09,349 --> 00:46:13,719 and feels alright there are neither 1089 00:46:16,150 --> 00:46:20,059 talked about other techniques that 1090 00:46:18,109 --> 00:46:21,949 entity group is using on our red team's 1091 00:46:20,059 --> 00:46:24,519 love to talk to you but I think you 1092 00:46:21,949 --> 00:46:24,519 listen