Windows Components Object Model

Windows Components Object Model is an old however widely used technology on Windows Systems. Its Attack surface is vast and can be utilized for various goals which I hope to cover in future articles.

PreviousOffice Templates and GlobalDotName - A Stealthy Office Persistence Technique NextDemystifying Windows Component Object Model (COM)

Last updated 2 years ago

Was this helpful?

Windows Components Object Model

Windows Components Object Model is an old however widely used technology on Windows Systems. Its Attack surface is vast and can be utilized for various goals which I hope to cover in future articles.

Known Techniques

COM Hijacking

- Event Triggered Execution: Component Object Model Hijacking

Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

COM Elevation of Privilege - UAC Bypass

- Abuse Elevation Control Mechanism: Bypass User Account Control

Windows programs can elevate privileges or execute some elevated objects without prompting the user through the UAC notification box. An example of this is use of to load a specifically crafted DLL which loads an auto-elevated object and performs a file operation in a protected directory which would typically require elevated access.

Lateral Movement with DCOM

- Remote Services: Distributed Component Object Model

Adversaries may use to interact with remote machines by taking advantage of Distributed Component Object Model (DCOM). The adversary may then perform actions as the logged-on user.

Code Execution

- Inter-Process Communication: Component Object Model

Adversaries may use various COM objects to achieve their goals, some of their goals can be, Arbitrary code execution, Creating Schedules Tasks, Modification of Registry or Files, etc.

COM / DCOM reading material

Main Source

General COM Internals

COM Hijacking / Persistence

DCOM Lateral Movement

COM Privilege Escalation / UAC Bypasses

PreviousOffice Templates and GlobalDotName - A Stealthy Office Persistence Technique NextDemystifying Windows Component Object Model (COM)

Last updated 2 years ago

Was this helpful?