Abusing the COM Registry Structure: CLSID, LocalServer32, & InprocServer32
Vendors are notorious for including and/or leaving behind Registry artifacts that could potentially be abused by attackers for lateral movement, evasion, bypass, and persistence. CLSIDs subkeys (LocalServer32 and InprocServer32) can be enumerated to discover abandoned binary references. Interestingly, CLSIDs can be called (‘invoked’) with this command: rundll32.exe -sta {CLSID} Defensive recommendations – clean up artifacts after removal (e.g. unregister), monitor for suspicious events (e.g. rundll32.exe usage), and implement strong Application Whitelisting (AWL) policies/rules. Background Previously, I blogged about a DCOM lateral movement technique that took advantage of a missing file that was referenced in a registry Class Identifier (CLSID) subkey-value on Windows 2008/2012 hosts. After seeing the impact of that technique, the entire notion of COM (Component Object Model) & key-value path hijacking became even more fascinating to me. As such, I decided to revisit CSLIDs, LocalServer32, and InprocServer32 to (hopefully) uncover even more interesting findings. In this post, we will discuss: The purpose of CLSIDs, LocalServer32, and InprocServer32 A slight
FEATURES
EXPLORE BY TAGS
SIMILAR TOOLS
A malware/botnet analysis framework with a focus on network analysis and process comparison.
A Unix-based tool that scans for rootkits and other malware on a system, providing a detailed report of the scan results.
RetDec is a versatile machine-code decompiler with support for various file formats and architectures.
A cheat sheet for default credentials to aid in penetration testing and vulnerability assessment
A Burp intruder extender for automating and validating XSS vulnerabilities
Studying Android malware behaviors through Information Flow monitoring techniques.
Valkyrie is a sophisticated file verdict system that enhances malware detection through behavioral analysis and extensive file feature examination.
PINNED
Mandos
Fractional CISO service that helps B2B companies implement security leadership to win enterprise deals, achieve compliance, and develop strategic security programs.
Checkmarx SCA
A software composition analysis tool that identifies vulnerabilities, malicious code, and license risks in open source dependencies throughout the software development lifecycle.
Orca Security
A cloud-native application protection platform that provides agentless security monitoring, vulnerability management, and compliance capabilities across multi-cloud environments.
DryRun
A GitHub application that performs automated security code reviews by analyzing contextual security aspects of code changes during pull requests.