COM Attack Surface
Windows Components Object Model is an old however widely used technology on Windows Systems. Its Attack surface is vast and can be utilized for various goals which I hope to cover in future articles.

0x00: COM Attack Surface Overview

COM Primer

COM Hijacking

T1546.015 - Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

COM Elevation of Privilege - UAC Bypass

T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
Windows programs can elevate privileges or execute some elevated Component Object Model objects without prompting the user through the UAC notification box. An example of this is use of Rundll32 to load a specifically crafted DLL which loads an auto-elevated Component Object Model object and performs a file operation in a protected directory which would typically require elevated access.

Lateral Movement with DCOM

T1021.003 - Remote Services: Distributed Component Object Model
Adversaries may use Valid Accounts to interact with remote machines by taking advantage of Distributed Component Object Model (DCOM). The adversary may then perform actions as the logged-on user.

Code Execution

T1559.001 - Inter-Process Communication: Component Object Model
Adversaries may use various COM objects to achieve their goals, some of their goals can be, Arbitrary code execution, Creating Schedules Tasks, Modification of Registry or Files, etc.
Copy link
On this page
0x00: COM Attack Surface Overview
COM Primer
COM Hijacking
COM Elevation of Privilege - UAC Bypass
Lateral Movement with DCOM
Code Execution