The Alexiou Principle

Posted on by

I very rarely republish content of other blogs, but today, for many reasons really, I feel obliged to republish one of the most relevant DFIR posts ever: The Alexiou Principle by Chris Pogue.

The 4 questions that form The Alexiou Principle are absolutely perfect:

  1. What question are you trying to answer?
  2. What data do you need to answer that question?
  3. How do you extract that data?
  4. What does that data tell you?

If you are starting your DFIR journey, or are a seasoned DFIR professional these questions will remain a mantra that you will follow, one way or another.

Embrace them.

manifest comclass curiosity

Posted on by

At the time I looked at certutil I spotted one interesting bit – its manifest included a reference to ‘certadm.dll’ and ‘comClass’. 

<file name = "certadm.dll">
    <comClass description = "ICertAdmin2"
        clsid = "{f7c3ac41-b8ce-4fb4-aa58-3d1dc0e36b39}"
        threadingModel = "Both"/>
    <comClass description = "CCertAdmin"
        clsid = "{37eabaf0-7fb6-11d0-8817-00a0c903b83c}"
        threadingModel = "Both"/>
    <comClass description = "ICertView2"
        clsid = "{d594b282-8851-4b61-9c66-3edadf848863}"
        threadingModel = "Both"/>
    <comClass description = "CCertView"
        clsid = "{a12d0f7a-1e84-11d1-9bd6-00c04fb683fa}"
        threadingModel = "Both"/>
</file>

Once I spotted it I immediately jumped hoping that this is yet another rare persistence/side-loading opportunity. Not only ‘certadm.dll’ is not present on new OS versions (phantom DLL!), the `comClass` suggests we could be able to load some COM DLLs when some events happen related to a given application that leverages this loading mechanism which in COM documentation is referenced as a Side by Side registrationless COM.

Another interesting bit is that certutil.exe is an orphan when it comes to manifests with comclass. Yes, this is the only native OS executable I could find that has a manifest actually referencing ComClass!

Sadly, in the end I was not able to side-load anything or instantiate anything, but the idea sticks. Perhaps people more accustomed with COM can shed some light how to use it?