# Windows Components Object Model

## **Known Techniques**

### **COM Hijacking**

{% hint style="info" %}
[T1546.015](https://attack.mitre.org/techniques/T1546/015/) - Event Triggered Execution: Component Object Model Hijacking

Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
{% endhint %}

### **COM Elevation of Privilege - UAC Bypass**

{% hint style="info" %}
[T1548.002](https://attack.mitre.org/techniques/T1548/002/) - Abuse Elevation Control Mechanism: Bypass User Account Control

Windows programs can elevate privileges or execute some elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) objects without prompting the user through the UAC notification box. An example of this is use of [Rundll32](https://attack.mitre.org/techniques/T1218/011) to load a specifically crafted DLL which loads an auto-elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) object and performs a file operation in a protected directory which would typically require elevated access.
{% endhint %}

### **Lateral Movement with DCOM**

{% hint style="info" %}
[T1021.003](https://attack.mitre.org/techniques/T1021/003/) - Remote Services: Distributed Component Object Model

Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote machines by taking advantage of Distributed Component Object Model (DCOM). The adversary may then perform actions as the logged-on user.
{% endhint %}

### **Code Execution** 

{% hint style="info" %}
[T1559.001](https://attack.mitre.org/techniques/T1559/001/) - Inter-Process Communication: Component Object Model

Adversaries may use various COM objects to achieve their goals, some of their goals can be, Arbitrary code execution, Creating Schedules Tasks, Modification of Registry or Files, etc. 
{% endhint %}

## COM / DCOM reading material <a href="#componentobjectmodel-com-knowledgebase-com-dcomreadingmaterial" id="componentobjectmodel-com-knowledgebase-com-dcomreadingmaterial"></a>

### Main Source

* <https://learn.microsoft.com/en-us/windows/win32/com/component-object-model--com--portal>

{% content-ref url="/pages/XSoqZbt69ifuYLeZhW84" %}
[Demystifying Windows Component Object Model (COM)](/offensive-security/windows-components-object-model/demystifying-windows-component-object-model-com.md)
{% endcontent-ref %}

{% content-ref url="/pages/OVbY2XjvkWwh9i9NZDzb" %}
[COM Hijacking - T1546.015](/offensive-security/windows-components-object-model/com-hijacking-t1546.015.md)
{% endcontent-ref %}

### General COM Internals <a href="#componentobjectmodel-com-knowledgebase-generalcominternals" id="componentobjectmodel-com-knowledgebase-generalcominternals"></a>

* <https://www.mandiant.com/resources/hunting-com-objects>
* <https://www.mandiant.com/resources/hunting-com-objects-part-two>
* <https://mohamed-fakroud.gitbook.io/red-teamings-dojo/windows-internals/playing-around-com-objects-part-1#conclusion>
* <https://the-deniss.github.io/posts/2021/05/17/discovering-and-exploiting-mcafee-com-objects.html>
* <https://www.tiraniddo.dev/2018/09/finding-interactive-user-com-objects_9.html?m=1>
* <https://gist.github.com/peteristhegreat/0d2d2580bd3fd353b178c1c4da2e455e>
* <https://www.codeguru.com/soap/step-by-step-com-tutorial/>
* <https://troopers.de/downloads/troopers17/TR17_Demystifying_%20COM.pdf>

### COM Hijacking / Persistence <a href="#componentobjectmodel-com-knowledgebase-comhijacking-persistence" id="componentobjectmodel-com-knowledgebase-comhijacking-persistence"></a>

* <https://pentestlab.blog/2020/05/20/persistence-com-hijacking/>
* <https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Get-ScheduledTaskComHandler.ps1>
* <https://pentestlab.blog/tag/scriptlet/>
* <https://googleprojectzero.blogspot.com/2021/10/windows-exploitation-tricks-relaying.html>
* <https://bohops.com/2018/06/28/abusing-com-registry-structure-clsid-localserver32-inprocserver32/>

  <br>

### DCOM Lateral Movement <a href="#componentobjectmodel-com-knowledgebase-dcomlateralmovement" id="componentobjectmodel-com-knowledgebase-dcomlateralmovement"></a>

* <https://www.ime.usp.br/~reverbel/SOD-97/Textos/dcom_corba/Paper.html>
* <https://www.cybereason.com/blog/dcom-lateral-movement-techniques>
* <https://redblue42.code42.com/detecting-lateral-movement-via-dcom/>
* <https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-2-dcom/>
* <https://www.scorpiones.io/articles/lateral-movement-using-dcom-objects>
* <https://blog.menasec.net/2019/02/threat-hunting-18-lateral-movement-via.html>
* <https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/>
* <https://hackdefense.com/assets/downloads/automating-the-enumeration-of-possible-dcom-vulnerabilities-axel-boesenach-v1.0.pdf>
* <https://klezvirus.github.io/RedTeaming/LateralMovement/LateralMovementDCOM/>

  <br>

### COM Privilege Escalation / UAC Bypasses <a href="#componentobjectmodel-com-knowledgebase-comprivilegeescalation-uacbypasses" id="componentobjectmodel-com-knowledgebase-comprivilegeescalation-uacbypasses"></a>

* <https://conference.hitb.org/hitbsecconf2017ams/materials/D2T3%20-%20James%20Forshaw%20-%20Introduction%20to%20Logical%20Privilege%20Escalation%20on%20Windows.pdf>
* <https://www.youtube.com/watch?v=q9dnYno_Moc>
* <https://www.fuzzysecurity.com/tutorials/27.html>
* <https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comautoapprovallist.html>
* <https://www.tiraniddo.dev/2017/05/reading-your-way-around-uac-part-1.html>
* <https://cqureacademy.com/cqure-labs/cqlabs-how-uac-bypass-methods-really-work-by-adrian-denkiewicz>
* <https://www.mdsec.co.uk/2022/04/process-injection-via-component-object-model-com-irundowndocallback/>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.221bluestreet.com/offensive-security/windows-components-object-model.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.