Microsoft introduced (Component Object Model, COM) in Windows 3.11 as a method to implement objects, which can be used by different frameworks (ActiveX, COM+, DCOM, etc.), and allows interoperability, inter-process communication, and code reuse in different Windows environments. The abuse of COM objects enables security teams to execute arbitrary code on behalf of trusted processes. Execution of COM hijacking does not require administrative privileges because the classes in the HKCU registry configuration unit are executed before those in HKLM. The only exception that affects high integrity processes (elevated) is loading objects only from the HKLM location to prevent privilege escalation.
Function introduction
1. Locate the valid CLSID in the target user's computer;
2. Find valid CLSID through the Task Scheduler of the target user computer;
3. Find out if anyone has already used these valid CLSID for persistence COM hijacking (LocalServer*32/InprocServer*32);
4. Find out if anyone has used any valid CLSID to execute persistence COM hijacking (LocalServer*32/InprocServer*32) through the Task Scheduler (Task Scheduler);
5. Try to automatically execute persistence COM hijacking through the Task Scheduler (Task Scheduler);
6. Try to use the 'TreatAs' key to reference other components;
Tool requirements
.NET Framework v4.8
Tool download
Researchers can use the following commands to clone the source code of this project locally:
git clone https://github.com/nickvourd/COM-Hunter.git
Tool help information
[+] Usage: .\COM-Hunter.exe <mode> <options> -> General Options: -h, --help Display help information and exit -v, --version Display the current version of the tool -a, --about Display other information related to the tool -> Modes: Search Search mode Persistence Persistence mode -> Search Mode: Get-Entry Search for valid CLSID entries Get-Tasksch Search for valid CLSID entries through the Task Scheduler Find-Persist Search if anyone has already used a valid CLSID (security defense) Find-Tasksch Search if anyone has used any valid CLSID (security defense) through the Task Scheduler (Task Scheduler) -> Persistence Mode: General Use common methods to achieve persistence of COM hijacking in the registry Tasksch Attempt to achieve persistence of COM hijacking through the Task Scheduler TreatAs In the registry, attempt to use the TreatAs registry key to achieve persistence of COM hijacking -> General Usage: .\COM-Hunter.exe Persistence General <clsid> <full_path_of_evil_dll> -> Tasksch Usage: .\COM-Hunter.exe Persistence Tasksch <full_path_of_evil_dll> -> TreatAs Usage: .\COM-Hunter.exe Persistence TreatAs <clsid> <full_path_of_evil_dll>
Tool Usage Examples
Search for Entries Containing Valid CLSID (Search Mode)
.\COM-Hunter.exe Search Get-Entry
Search for Persistence Hijacking Points (Search Mode)
.\COM-Hunter.exe Search Find-Persist
Common Methods (Persistence Mode)
.\COM-Hunter.exe Persist General 'HKCU:Software\Classes\CLSID\...' C:\Users\nickvourd\Desktop\beacon.dll
Scheduled Task (Persistence Mode)
.\COM-Hunter.exe Persist Tasksch C:\Users\nickvourd\Desktop\beacon.dll
Valid CLSID Format Example
Software\Classes\CLSID\... HKCU:Software\Classes\CLSID\... HKCU:\Software\Classes\CLSID\... HKCU\Software\Classes\CLSID\... HKEY_CURRENT_USER:Software\Classes\CLSID\... HKEY_CURRENT_USER:\Software\Classes\CLSID\... HKEY_CURRENT_USER\Software\Classes\CLSID\...
License Agreement
The development and release of this project followMITOpen Source License Agreement.
Project Address
COM-Hunter:【GitHub Gateway】
Reference Materials
https://courses.zeropointsecurity.co.uk/courses/red-team-ops
https://twitter.com/zeropointsecltd
Has the 'new king' of ransomware appeared? RansomHub has targeted 600 enterprises in 2024
An unrigorous and unscientific experiment about wireless signal relay
Are you still confused about the timeout of SFTP connection?
9. Get the information about network protocols supported on this computer
评论已关闭