Abusing Exported Functions and Exposed DCOM Interfaces for Pass-Thru Command Execution and Lateral Movement
0
Free
Last Wednesday, I had some down time so I decided to hunt around in System32 to see if I could find anything of potential interest. I located a few DLL files that shared an interesting export function called OpenURL: While looking for a quick win, I wanted to see if anything could be invoked without much effort. Sure enough, url.dll allowed for the execution an HTML application (.hta) using these commands: rundll32.exe url.dll,OpenURL "local\path\to\harmless.hta" rundll32.exe url.dll,OpenURLA "local\path\to\harmless.hta" After a few more functional tests across platforms, I (prematurely) posted this on Twitter, and the initial feedback was incredibly fast, educational, and humbling. On one hand, I should have went through a few more test routines to understand what was actually happening under the hood prior to posting. Conversely, it was incredible to see the instant reaction from some of the best practitioners in the field who helped triage this in what seemed like a matter of minutes. Big thanks to @subTee, @r0wdy_, and @Hexacorn for their rapid analysis! In short, the HTA was invoked using the OpenURL function, allowing for pass-thru command execution and lateral movement.
FEATURES
The author has not provided features for this tool yet. If you are the author, please sign in or claim the tool to add features by clicking the icon above.
ALTERNATIVES
A tool that visits suspected phishing pages, takes screenshots, and extracts interesting files.
A proxy aware C2 framework for penetration testing, red teaming, post-exploitation, and lateral movement with modular format and highly configurable payloads.
Emulates Docker HTTP API with event logging and AWS deployment script.
A document that helps inform red team planning by contrasting against the very specific red team style described in Red Teams.
An open-source shellcode and PE packer for creating and managing portable executable files.
An exploration of a new method to abuse DCOM for remote payload execution and lateral movement.
A comprehensive malware-analysis tool that utilizes external AV scanners to identify malicious elements in binary files.
PINNED
Fabric Platform by BlackStork
Fabric Platform is a cybersecurity reporting solution that automates and standardizes report generation, offering a private-cloud platform, open-source tools, and community-supported templates.
Free
Security Operations
Mandos Brief Newsletter
Stay ahead in cybersecurity. Get the week's top cybersecurity news and insights in 8 minutes or less.
Free
Blogs and News
Wiz
Wiz Cloud Security Platform is a cloud-native security platform that enables security, dev, and devops to work together in a self-service model, detecting and preventing cloud security threats in real-time.
Commercial
Cloud Security
Adversa AI
Adversa AI is a cybersecurity company that provides solutions for securing and hardening machine learning, artificial intelligence, and large language models against adversarial attacks, privacy issues, and safety incidents across various industries.
Commercial
AI Security