COM Hijacking
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
As the values of HKCU can be modified by the users COM Hijacking could be used as a persistent mechanisms. Using procmon
it's easy to find searched COM registries that doesn't exist that an attacker could create to persist. Filters:
RegOpenKey operations.
where the Result is NAME NOT FOUND.
and the Path ends with InprocServer32.
Once you have decided which not existent COM to impersonate execute the following commands. Be careful if you decide to impersonate a COM that is loaded every few seconds as that could be overkill.
Windows Tasks use Custom Triggers to call COM objects and because they're executed through the Task Scheduler, it's easier to predict when they're gonna be triggered.
Checking the output you can select one that is going to be executed every time a user logs in for example.
Now searching for the CLSID {1936ED8A-BD93-3213-E325-F38D112938EF} in HKEY_CLASSES_ROOT\CLSID and in HKLM and HKCU, you usually will find that the value doesn't exist in HKCU.
Then, you can just create the HKCU entry and everytime the user logs in, your backdoor will be fired.
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)