Red Teaming Experiments
linkedintwitterpatreongithub
Search…
What is ired.team?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
offensive security
Red Team Infrastructure
Initial Access
Code Execution
Code & Process Injection
Defense Evasion
Enumeration and Discovery
Windows Event IDs and Others for Situational Awareness
Enumerating COM Objects and their Methods
Enumerating Users without net, Services without sc and Scheduled Tasks without schtasks
Enumerating Windows Domains with rpcclient through SocksProxy == Bypassing Command Line Logging
Dump GAL from OWA
Application Window Discovery
Account Discovery & Enumeration
Using COM to Enumerate Hostname, Username, Domain, Network Drives
Detecting Sysmon on the Victim Host
Privilege Escalation
Credential Access & Dumping
Lateral Movement
Persistence
Exfiltration
reversing, forensics & misc
Internals
Cloud
Neo4j
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered By GitBook
Enumerating COM Objects and their Methods
This is a quick note to capture some of the commands for finding interesting COM objects and the methods they expose, based on the great article from Fireeye.
The Microsoft Component Object Model (COM) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact
​https://docs.microsoft.com/en-us/windows/win32/com/the-component-object-model​
This is less of a post-exploitation technique, rather a method that allows one to look for interesting COM objects, that could be leveraged by one's malware.

We can find all the COM objects registered on the Windows system with:
gwmi Win32_COMSetting | ? {$_.progid } | sort | ft ProgId,Caption,InprocServer32

Once we have the list of COM objects and have identified an interesting COM object, we can now check the methods it exposes. In our case, let's pick a COM object WScript.Shell.1 and check its methods like so:
$o = [activator]::CreateInstance([type]::GetTypeFromProgID(("WScript.Shell.1"))) | gm
Below are the methods exposed by WScript.Shell.1 COM object, one of which is RegRead:
Let's see if we can read a registry value with RedRead method exposed by the WScript.Shell.1. RedRead accepts one string as an argument - a path to the registry value:
$o.RegRead("HKEY_CURRENT_USER\Volatile Environment\LOGONSERVER")
Below shows how a registry value was read successfully:

We can iterate through all the COM objects and list their methods and save it all to a text file that we can later on inspect for any other interesting methods:
$com = gwmi Win32_COMSetting | ? {$_.progid } | select ProgId,Caption,InprocServer32
​
$com | % {
$_.progid | out-file -append methods.txt
[activator]::CreateInstance([type]::GetTypeFromProgID(($_.progid))) | gm | out-file -append methods.txt
"`n`n" | out-file -append methods.txt
}
Below shows the output file with all the methods of all COM objects exposed, in focus are the methods for Shell.Application.1 COM object:

Hunting COM Objects | Mandiant
Previous
Windows Event IDs and Others for Situational Awareness
Next
Enumerating Users without net, Services without sc and Scheduled Tasks without schtasks
Last modified 2yr ago
Copy link
On this page
Enumerating COM Objects
Enumerating COM Object Methods
Exposing All COM Object Methods
References