Silent Pivot: Exploiting SpeechRuntimeMove for Stealthy Lateral Movement via DCOM
SpeechRuntimeMove
Lateral Movement via SpeechRuntime DCOM trigger & COM Hijacking.
This Proof of Concept (PoC) for Lateral Movement abuses the fact, that some COM Classes configured as INTERACTIVE USER will spawn a process in the context of the currently logged on users session.
If those processes are also vulnerable to COM Hijacking, we can configure a COM Hijack via the remote registry, drop a malicious DLL via SMB and trigger loading/execution of this DLL via DCOM.
This technique removes the need to takeover the system plus afterward:
- Impersonate the target user
- Steal the target users credentials from LSASS or somewhere else
- or use alternative techniques to take over the account
Because our code is already getting executed in the context of the logged in user, we can do whatever we want in that context and create less IoCs for alternative techniques.
In this PoC, the CLSID 38FE8DFE-B129-452B-A215-119382B89E3D – Speech Named Pipe COM is used with the IID ISpeechNamedPipe. SpeechRuntime.exe will be spawned whenever an instance of the Speech Named Pipe COM Class is created, which is vulnerable to COM Hijacking:
The CLSID 655D9BF9-3876-43D0-B6E8-C83C1224154C (and many more) are looked for under HKCU, which we can hijack from remote.
Enum Mode
To find out, which users are active on a remote client you can use the enum mode like this:
[pastacode lang=”markup” manual=”SpeechRuntimeMove.exe%20mode%3Denum%20target%3D%3CtargetHost%3E” message=”” highlight=”” provider=”manual”/]
Attack mode
To actually execute code on the remote system, you need to specify the target username, the Session number, the DLL drop path as well as the command to execute:
[pastacode lang=”markup” manual=”SpeechRuntimeMove.exe%20mode%3Dattack%20target%3D%3CtargetHost%3E%20dllpath%3DC%3A%5Cwindows%5Ctemp%5Cpwned.dll%20session%3D2%20targetuser%3Dlocal%5Cdomadm%20command%3D%22cmd.exe%20%2FC%20calc.exe%22″ message=”” highlight=”” provider=”manual”/]
OpSec considerations / Detection
The PoC uses a hardcoded DLL, which will always look the same and which will get dropped on the target. It’s super easy to build detections on this DLL, so using a self written DLL will less likely get you detected. With a custom DLL you will also live in a trusted signed process instead of spawning a new one, that’s usually what attackers prefer.
Behavior based detection of this technique can be done by checking for
- Remote COM Hijack of the mentioned CLSID followed by
SpeechRuntime.exeloading a newly dropped DLL from the hijack locationSpeechRuntime.exespawning suspicious sub-processes
Download
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
