• COM allows software components to interact
• Handled by the registry
  • Query to the registry according to a GUID
  • Each GUID references a file implementing the classes interfaces
• HKCU
  • User-based COM objects
  • HKCU\Software\Classes
• HKLM
  • Entire machine COM objects
  • HKLM\Software\Classes
• COM Security policy restricts access of high integrity processes to HKLM to avoid UAC bypass
• Phantom COM
  • COM object references that don't have an implementation on disk

• Use ProcMon to identify phantom COM objects

Operation is RegOpenKey
Result is NAME NOT FOUND
Path ends with InprocServer32

• Look for CLSID that aren't opened that often.

• Look for RegOpenKey failures

• Look for ones that are not in HKCU

• Verify with Powershell that it exists in HKLM but not in HKCU

Get-Item -Path "HKLM:\<path to CLSID>
Get-Item -Path "HKCU:\<path to CLSID>

• Plant malicious dll in each missing key

New-Item -Path "HKCU:Software\Classes\CLSID" -NAME "{CLSID"}"
New-Item -Path "HKCU:Software\Classes\CLSID\<CLSID> -Name "InprocServer32" -Value <payload>
New-ItemProperty -Path "HKCU:Software\Classes\CLSID\<CLSID>\InprocServer32" -Name "ThreadingModel" -Value "Both"

• Use ProcMon to monitor the load image event to see if malicious DLL is being loaded

• This tool can identify potential COM Hijacks from the output of Process Monitor

https://github.com/nccgroup/acCOMplice

Import-Module .\ComHijackToolkit.ps1
Extract-HijackableKeysFromProcmonCSV -CSVfile <file.csv>

• Or find missing libraries with Find-MissingLibraries

• Script such as https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Get-ScheduledTaskComHandler.ps1 can be used to check scheduled tasks for tasks vulnerable to COM Hijacking.

• Check for scheduled tasks that trigger when a user logs in.

• Verify that the CLSID exists in HKLM but not HKCU

• Follow the steps above to add a duplicate entry to HKCU that loads the malicious DLL.

• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mscfile\shell\open\command
  • Change the default to point to malicious binary
• Opening apps such as event viewer , whcih open MMC will cause the malicious binary to load
  • EventViewer has Auto elevate inclouded in manifest
• Requires Administrator Privs to modify the key

https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/

https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-EventVwrBypass.ps1

https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/

https://pentestlab.blog/2020/05/20/persistence-com-hijacking/