A proof-of-concept fileless DCOM Lateral Movement technique using trapped COM objects
This project contains C++ source code for reflectively loading and executing a .NET assembly in a remote computer's WaaS Medic Service svchost.exe process for DCOM lateral movement.
The technique abuses the trapped COM object bug class originally discovered by James Forshaw of Google Project Zero.
For detailed information, please see the accompanying Security Intelligence blog post by Dylan Tran and Jimmy Bayne of IBM X-Force Red.
- Compile with Visual Studio
- Run with the following command under a privileged context:
forshops.exe [target machine] [c:\\path\\to\\assembly\\to\\load]
The detection guidance proposed by Samir Bousseaden is applicable for this lateral movement technique:
- Detecting CLR load events within the svchost.exe process of WaaSMedicSvc
- Detecting Registry manipulation (or creation) of the following key: HKLM\SOFTWARE\Classes\CLSID{0BE35203-8F91-11CE-9DE3-00AA004BB851}\TreatAs (TreatAs key of StandardFont CLSID)
We also recommend implementing the following additional controls:
- Detecting DACL manipulation of HKLM\SOFTWARE\Classes\CLSID{0BE35203-8F91-11CE-9DE3-00AA004BB851}
- Hunting for the presence of enabled OnlyUseLatestCLR and AllowDCOMReflection values in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework
- Enabling the host-based firewall to restrict DCOM ephemeral port access where possible
Use the following proof-of-concept YARA rule to detect the standard ForsHops.exe executable:
rule Detect_Standard_ForsHops_PE_By_Hash
{
meta:
description = "Detects the standard ForShops PE file by strings"
reference = "GitHub Project: https://github.com/xforcered/ForsHops/"
strings:
$s1 = "System.Reflection.Assembly, mscorlib" wide
$s2 = "{72566E27-1ABB-4EB3-B4F0-EB431CB1CB32}" wide
$s3 = "{34050212-8AEB-416D-AB76-1E45521DB615}" wide
$s4 = "GetType" wide
$s5 = "Load" wide
condition:
all of them
}
- Windows Bug Class: Accessing Trapped COM Objects with IDispatch by James Forshaw
- IE11SandboxEscapes Project by James Forshaw
This project is licensed under the GNU General Public License v3.0.
See the LICENSE file for details.
This project includes code from IE11SandboxEscapes by James Forshaw, licensed under GNU General Public License v3.0. See the project license for details.