Abusing the COM Registry Structure: CLSID, LocalServer32, & InprocServer32 Logo

Abusing the COM Registry Structure: CLSID, LocalServer32, & InprocServer32

0
Free
Visit Website

Vendors are notorious for including and/or leaving behind Registry artifacts that could potentially be abused by attackers for lateral movement, evasion, bypass, and persistence. CLSIDs subkeys (LocalServer32 and InprocServer32) can be enumerated to discover abandoned binary references. Interestingly, CLSIDs can be called (‘invoked’) with this command: rundll32.exe -sta {CLSID} Defensive recommendations – clean up artifacts after removal (e.g. unregister), monitor for suspicious events (e.g. rundll32.exe usage), and implement strong Application Whitelisting (AWL) policies/rules. Background Previously, I blogged about a DCOM lateral movement technique that took advantage of a missing file that was referenced in a registry Class Identifier (CLSID) subkey-value on Windows 2008/2012 hosts. After seeing the impact of that technique, the entire notion of COM (Component Object Model) & key-value path hijacking became even more fascinating to me. As such, I decided to revisit CSLIDs, LocalServer32, and InprocServer32 to (hopefully) uncover even more interesting findings. In this post, we will discuss: The purpose of CLSIDs, LocalServer32, and InprocServer32 A slight

FEATURES

ALTERNATIVES

Kaitai Struct is a declarative language for describing binary data structures.

GuardDog is a CLI tool for identifying malicious PyPI and npm packages through heuristics and Semgrep rules.

A detailed analysis of malicious packages and how they work

Binary Ninja is an interactive decompiler, disassembler, debugger, and binary analysis platform with a focus on automation and a clean GUI.

Guide on emulating Raspberry Pi with QEMU and exploring Arm TrustZone research.

A minimal, consistent API for building integrations with malware sandboxes

Powerful debugging tool with extensive features and extensions for memory dump analysis and crash dump analysis.

A tool for reading Portable Executable (PE) files with detailed information about the file structure.

PINNED