Open in app

Sign in

Write

Sign in

Lateral movement using URL Protocol

Jihad Abdrazak
3 min readOct 22, 2018

--

Introduction as usually, extremely splendid
The lateral movement is a technique grant you the access for system materials, how the operation works to executing it using ( Windows management instrumentation ) WMI or via Powershell DCOM COM at this a blog post I’ll give the newest about lateral movement using URL Protocol in the system operation while I’ll explain the subject, we have to interpret everything in the lateral movement

Synopsis URL protocols?
URL Protocols are services to access to the tools in Windows through Web Browser instead use file:/// Protocol every time, however , URL Protocol It isn’t local server but It’s just service like registry structures, as instance, let’s take a look at this picture

That ms-settings is the service responsible for executing a program that you want to open it, in the browser, It uses a tree of the information, for example, Shell/Open/Command, at this point of the structure /command the important side to open through the browser, there are many interesting things It called a delegate execute, It contains CLSID and might cause the disasters for a system operating, we might have a chance to crawl with COM hijacking through this part *Delegate* also we may be as an attacker powershell using lateral movement, so , let me show you a few methods to using this in COM hijacking

You may be noticed It’s easy to create structure like ms-settings, in like manner and a fake, so , this is easy but wha about internet explorer, It needs acceptance permission to execute! but do we can to bypassing the security? don’t worry about that, I spent one week unitl found this topic to bypassing, It may be a similar venue

That was such an amazing when I saw this WarnOnOpen gives us the permission to executing anything via ms-settings, now you have to go to add some things in a registry to create COM hijacking

Remarking
After this operation we can take a test at this point in internet.explorer and make sure It works to invoke CLSID from *Delegate Execute* via explorer browser

Explorer browser has been running COM Hijacking without taking permission to execute COM Hijacking CLSID or anything, so , explorer, It contains interpreter CLSID is an ielowutil.exe, so , let me explain the lateral movement in Powershell now , we can use explorer in Powershell as well as the same way the explorer works in browser or a Powershell

Conclusion ==> Matt harr0ey

https://gist.github.com/homjxi0e/2e47ffa59e314df04324937a13f8f320

Research

--

--

Jihad Abdrazak

Written by Jihad Abdrazak

108 Followers

An Ambitious man | Red teamer | Security Researcher | Passionate about windows internals, abusing features and malware analysis

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams