Component Object Model
Last updated
Last updated
Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming (API) that enables interaction between software objects, or executable code that implements one or more interfaces. Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE).
Various COM interfaces are exposed that can be abused to invoke arbitrary execution via a variety of programming languages such as C, C++, Java, and Visual Basic. Specific COM objects also exist to directly perform functions beyond code execution, such as creating a Scheduled Task/Job, file less download/execution, and other adversary behaviors related to privilege escalation and persistence.
Blog:
https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/
https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html
*Some small edits need to be applied as a IP address is always given for Lateral Movement but by removing this we can execute locally
Examples:
First we start by searching some COM Objects available and that can allows us to Execute code on the local machine. PowerShell is a great way to enumerate some COM objects and find one that has a proper method to execute code.
So with some proper enumeration and some testing we can actually execute find by finding a proper COM Object that contains a method that will allows us to execute code.
Now in this example we will use an already known COM Object ShellWindows and using it ShellExecute Method
Let us instantiate the object by using the CLSID we can use the Type.GetTypeFromCLSID paired with the Activator.CreateInstance mathod you will need the CLSID of the object to do this correctly
Now we can execute and invoke any methods we want but we want to achieve actual interaction with the host so from here we access the WindowsShell.Item method.
When going through all the methods and doing the proper research a method that stood out was "Document.Application.ShellExecute"
Demo: