Abusing the COM Registry Structure: CLSID, LocalServer32, & InprocServer32
Vendors are notorious for including and/or leaving behind Registry artifacts that could potentially be abused by attackers for lateral movement, evasion, bypass, and persistence. CLSIDs subkeys (LocalServer32 and InprocServer32) can be enumerated to discover abandoned binary references. Interestingly, CLSIDs can be called (‘invoked’) with this command: rundll32.exe -sta {CLSID} Defensive recommendations – clean up artifacts after removal (e.g. unregister), monitor for suspicious events (e.g. rundll32.exe usage), and implement strong Application Whitelisting (AWL) policies/rules. Background Previously, I blogged about a DCOM lateral movement technique that took advantage of a missing file that was referenced in a registry Class Identifier (CLSID) subkey-value on Windows 2008/2012 hosts. After seeing the impact of that technique, the entire notion of COM (Component Object Model) & key-value path hijacking became even more fascinating to me. As such, I decided to revisit CSLIDs, LocalServer32, and InprocServer32 to (hopefully) uncover even more interesting findings. In this post, we will discuss: The purpose of CLSIDs, LocalServer32, and InprocServer32 A slight
FEATURES
EXPLORE BY TAGS
SIMILAR TOOLS
PinCTF is a tool for using Intel's Pin Tool to instrument reverse engineering binaries and count instructions.
A binary analysis and management framework for organizing and analyzing malware and exploit samples, and creating plugins.
A collaborative malware analysis framework with various features for automated analysis tasks.
An open source machine code decompiler that converts binary executables into readable C source code across multiple architectures and file formats.
Blazingly fast Yara queries for malware analysts with an analyst-friendly web GUI.
A static analysis tool for PE files that detects malicious behavior and provides information for manual analysis.
Valkyrie is a sophisticated file verdict system that enhances malware detection through behavioral analysis and extensive file feature examination.
Intezer is a cloud-based malware analysis platform that detects and classifies malware using genetic code analysis.
PINNED
Proton Pass is a cross-platform password manager that provides encrypted storage, password generation, and security monitoring features with integrated 2FA and dark web monitoring capabilities.
NordVPN is a commercial VPN service that encrypts internet connections and hides IP addresses through a global network of servers, featuring integrated threat protection and multi-device support.
Fractional CISO service that helps B2B companies implement security leadership to win enterprise deals, achieve compliance, and develop strategic security programs.
Checkmarx SCA
A software composition analysis tool that identifies vulnerabilities, malicious code, and license risks in open source dependencies throughout the software development lifecycle.
Orca Security
A cloud-native application protection platform that provides agentless security monitoring, vulnerability management, and compliance capabilities across multi-cloud environments.
DryRun
A GitHub application that performs automated security code reviews by analyzing contextual security aspects of code changes during pull requests.