Abusing the COM Registry Structure: CLSID, LocalServer32, & InprocServer32

TL;DR Vendors are notorious for including and/or leaving behind Registry artifacts that could potentially be abused by attackers for lateral movement, evasion, bypass, and persistence. CLSIDs subkeys (LocalServer32 and InprocServer32) can be enumerated to discover abandoned binary references.

This article discusses the purpose of CLSIDs, LocalServer32, and InprocServer32, and provides a method for enumerating LocalServer32 and InprocServer32 keys and locating abandoned binary references. It also revisits the DCOM lateral movement technique, which takes advantage of a missing file that is referenced in a registry Class Identifier (CLSID) subkey-value on Windows 2008/2012 hosts. Additionally, the article covers the abuse of registry COM CLSIDs with rundll32, evasive DLL loading, traditional COM hijacking, and AppLocker bypass.

The article also provides defensive considerations for vendors and net defenders. Vendors should remove COM registry artifacts and not create CLSID binary path registry key-values that point to non-existent binaries. Net defenders should monitor for interesting host activity, especially for rundll32.exe usage, and organizations should implement strong Application Whitelisting (AWL) policies and move beyond default rules.

In conclusion, this article provides an overview of CLSIDs, LocalServer32, and InprocServer32, and how they can be abused by attackers for lateral movement, evasion, bypass, and persistence. It also provides defensive recommendations to clean up artifacts after removal, monitor for suspicious events, and implement strong Application Whitelisting (AWL) policies/rules.

📓 Abusing the COM Registry Structure: CLSID, LocalServer32, & InprocServer32

👉🏽 TL;DR Vendors are notorious for including and/or leaving behind Registry artifacts that could potentially be abused by attackers for lateral movement, evasion, bypass, and persistence. CLSIDs subkeys (LocalServer32 and InprocServer32) can be enumerated to discover abandoned binary references. 👉🏽 Discusses the purpose of CLSIDs, LocalServer32, and InprocServer32 👉🏽 Enumerates LocalServer32 and InprocServer32 keys and locates abandoned binary references 👉🏽 Revisits DCOM lateral movement technique on Windows 2008/2012 hosts 👉🏽 Covers abuse of registry COM CLSIDs with rundll32, evasive DLL loading, traditional COM hijacking, and AppLocker bypass 👉🏽 Provides defensive considerations for vendors and net defenders 👉🏽 Vendors should remove COM registry artifacts and avoid pointing to non-existent binaries 👉🏽 Net defenders should monitor for suspicious activity, particularly rundll32.exe usage 👉🏽 Organizations should implement strong Application Whitelisting (AWL) policies 👉🏽 Offers recommendations for cleaning up artifacts, monitoring for suspicious events, and implementing strong AWL policies/rules 👉🏽 Overall, article provides overview of how CLSIDs can be abused by attackers and ways to defend against it.

🔗 source link: https://bohops.com/2018/06/28/abusing-com-registry-structure-clsid-localserver32-inprocserver32/

🔗 summarized content: https://hut.threathunterz.com/battlefield-intel/articles-and-reports/abusing-the-com-registry-structure-clsid-localserver32-inprocserver32

#CLSIDs #LocalServer32 #InprocServer32 #LateralMovement #ApplicationWhitelisting