Abusing Exported Functions and Exposed DCOM Interfaces for Pass-Thru Command Execution and Lateral Movement
Last Wednesday, I had some down time so I decided to hunt around in System32 to see if I could find anything of potential interest. I located a few DLL files that shared an interesting export function called OpenURL: While looking for a quick win, I wanted to see if anything could be invoked without much effort. Sure enough, url.dll allowed for the execution an HTML application (.hta) using these commands: rundll32.exe url.dll,OpenURL "local\path\to\harmless.hta" rundll32.exe url.dll,OpenURLA "local\path\to\harmless.hta" After a few more functional tests across platforms, I (prematurely) posted this on Twitter, and the initial feedback was incredibly fast, educational, and humbling. On one hand, I should have went through a few more test routines to understand what was actually happening under the hood prior to posting. Conversely, it was incredible to see the instant reaction from some of the best practitioners in the field who helped triage this in what seemed like a matter of minutes. Big thanks to @subTee, @r0wdy_, and @Hexacorn for their rapid analysis! In short, the HTA was invoked using the OpenURL function, allowing for pass-thru command execution and lateral movement.
FEATURES
ALTERNATIVES
A collection of Microsoft PowerShell modules for penetration testing purposes.
A tool for security researchers and penetration testers to automate the process of finding sensitive information on a target domain.
A set of YARA rules for identifying files containing sensitive information
A collection of tips and tricks for container and container orchestration hacking
The Proxmark III is a versatile device for sniffing, reading, and cloning RFID tags with strong community support.
AzureC2Relay enhances security by validating and relaying Cobalt Strike beacon traffic through Azure Functions.
PINNED
InfoSecHired
An AI-powered career platform that automates the creation of cybersecurity job application materials and provides company-specific insights for job seekers.
Mandos Brief Newsletter
A weekly newsletter providing cybersecurity leadership insights, industry updates, and strategic guidance for security professionals advancing to management positions.
Checkmarx SCA
A software composition analysis tool that identifies vulnerabilities, malicious code, and license risks in open source dependencies throughout the software development lifecycle.
Check Point CloudGuard WAF
A cloud-native web application and API security solution that uses contextual AI to protect against known and zero-day threats without signature-based detection.
Orca Security
A cloud-native application protection platform that provides agentless security monitoring, vulnerability management, and compliance capabilities across multi-cloud environments.
DryRun
A GitHub application that performs automated security code reviews by analyzing contextual security aspects of code changes during pull requests.
Wiz
Wiz Cloud Security Platform is a cloud-native security platform that enables security, dev, and devops to work together in a self-service model, detecting and preventing cloud security threats in real-time.