Lateral movement using URL Protocol
Introduction as usually, extremely splendid
The lateral movement is a technique grant you the access for system materials, how the operation works to executing it using ( Windows management instrumentation ) WMI or via Powershell DCOM COM at this a blog post I’ll give the newest about lateral movement using URL Protocol in the system operation while I’ll explain the subject, we have to interpret everything in the lateral movement
Synopsis URL protocols?
URL Protocols are services to access to the tools in Windows through Web Browser instead use file:/// Protocol every time, however , URL Protocol It isn’t local server but It’s just service like registry structures, as instance, let’s take a look at this picture
That ms-settings is the service responsible for executing a program that you want to open it, in the browser, It uses a tree of the information, for example, Shell/Open/Command, at this point of the structure /command the important side to open through the browser, there are many interesting things It called a delegate execute, It contains CLSID and might cause the disasters for a system operating, we might have a chance to crawl with COM hijacking through this part *Delegate* also we may be as an attacker powershell using lateral movement, so , let me show you a few methods to using this in COM hijacking
You may be noticed It’s easy to create structure like ms-settings, in like manner and a fake, so , this is easy but wha about internet explorer, It needs acceptance permission to execute! but do we can to bypassing the security? don’t worry about that, I spent one week unitl found this topic to bypassing, It may be a similar venue
That was such an amazing when I saw this WarnOnOpen gives us the permission to executing anything via ms-settings, now you have to go to add some things in a registry to create COM hijacking
Remarking
After this operation we can take a test at this point in internet.explorer and make sure It works to invoke CLSID from *Delegate Execute* via explorer browser
Explorer browser has been running COM Hijacking without taking permission to execute COM Hijacking CLSID or anything, so , explorer, It contains interpreter CLSID is an ielowutil.exe, so , let me explain the lateral movement in Powershell now , we can use explorer in Powershell as well as the same way the explorer works in browser or a Powershell
Conclusion ==> Matt harr0ey
https://gist.github.com/homjxi0e/2e47ffa59e314df04324937a13f8f320