Red Teaming Experiments
linkedingithub@spotheplanetpatreon
Search…
What is ired.team?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
offensive security
Red Team Infrastructure
Initial Access
Code Execution
Code & Process Injection
Defense Evasion
Enumeration and Discovery
Privilege Escalation
Credential Access & Dumping
Lateral Movement
Persistence
DLL Proxying for Persistence
Schtask
Service Execution
Sticky Keys
Create Account
AddMonitor()
NetSh Helper DLL
Abusing Windows Managent Instrumentation
Windows Logon Helper
Hijacking Default File Extension
Persisting in svchost.exe with a Service DLL
Modifying .lnk Shortcuts
Screensaver Hijack
Application Shimming
BITS Jobs
COM Hijacking
SIP & Trust Provider Hijacking
Hijacking Time Providers
Installing Root Certificate
Powershell Profile Persistence
RID Hijacking
Word Library Add-Ins
Office Templates
Exfiltration
reversing, forensics & misc
Internals
Cloud
Neo4j
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered By GitBook
COM Hijacking
UAC Bypass/Defense Evasion, Persistence
The Microsoft Component Object Model (COM) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. COM is the foundation technology for Microsoft's OLE (compound documents), ActiveX (Internet-enabled components), as well as others.
In this lab we will execute a file-less UAC bypass technique.

Execution

On the compromised system, change the HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mscfile\shell\open\command default value to point to your binary. In this case I chose powershell.exe:
By default, launching Windows Event Viewer calls under the hood:"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /s
Since we hijacked the HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mscfile\shell\open\command to point to powershell, when launching Even Viewer, the powershell is invoked instead:

Observation

Monitoring registry for changes in HKEY_CLASSES_ROOT\mscfile\shell\open\command can reveal this hijaking activity:

References

Event Triggered Execution: Component Object Model Hijacking, Sub-technique T1546.015 - Enterprise | MITRE ATT&CK®
“Fileless” UAC Bypass Using eventvwr.exe and Registry Hijacking
enigma0x3
Bypassing Windows User Account Control (UAC) and ways of mitigation
GreyHatHacker.NET
FuzzySecurity | Anatomy of UAC Attacks
Previous
BITS Jobs
Next
SIP & Trust Provider Hijacking
Last modified 2yr ago
Copy link
Contents
Execution
Observation
References