Asia-24-Ding-CertifiedDCOM-The-Privilege-Escalation-Journey-to-Domain-Admin.pdf

《Asia-24-Ding-CertifiedDCOM-The-Privilege-Escalation-Journey-to-Domain-Admin.pdf》由会员分享，可在线阅读，更多相关《Asia-24-Ding-CertifiedDCOM-The-Privilege-Escalation-Journey-to-Domain-Admin.pdf（51页珍藏版）》请在三个皮匠报告上搜索。

1、#BHASIA BlackHatEventsCertifiedDCOMThePrivilegeEscalationJourneytoDomainAdminwithDCOMTianze Ding(D1iv3)Tencent Security Xuanwu Lab#BHASIA BlackHatEventsWhoamiTianze Ding(D1iv3)Senior Security Researcher,Tencent Security Xuanwu Lab Focusing on Active Directory Security/Cloud Security/Web Security 202

2、2 MSRC Most Valuable Researchers Black Hat/DEFCON/HITB Speaker#BHASIA BlackHatEventsAgenda COM/DCOM Basics Previous Research COM Attack Surface from Local to Remote CertifiedDCOM:Privilege Escalation to Domain Admin Patches&Mitigations Conclusions&Takeaways#BHASIA BlackHatEventsWhat is COM?Component

3、 Object Model(COM)COM is everywhere,OLE,ActiveX,DirectX,Windows Runtime,WMI,etc.COM ServerCOM ObjectQueryInterfaceAddRefReleaseMethod AMethod BCOM Interface COM ServerDLL/EXE files with one or more COM classes COM ObjectAn instance of a COM class which implements one or more interfaces COM Interface

4、A set of methods that can be invoked by clientsInterface AIUnknown#BHASIA BlackHatEventsCOM/DCOMCOM Server In-Process Server Runs in the same process of the client Out-of-Process Server Runs in a separate process Interact through ALPC Remote Server(DCOM)Runs in a remote computer Interact through RPC

5、Client ProcessCOM ProxyApplicationCodeCOM ServerCOM StubCOM ObjectALPC/RPCout-of-process server/remote server#BHASIA BlackHatEventsOut-of-process COMClientCOM ServerRPCSS1.Request COM Object2.Create new process andnew COM objectLaunch and Activation3.Register&Activation info4.Activation infoAccess5.

6、Access COM interfaces and methodsthrough ALPCe.g.,CoCreateInstance#BHASIA BlackHatEventsDCOMClientCOM ServerRPCSSRPCSSComputer AComputer B3.Launch and Activation4.Access through RPC2.Request COM Object1.Request COM Objecte.g.,CoCreateInstancePort 13DynamicPort#BHASIA BlackHatEventsPotato Attacks and