Red Teaming Experiments
Red Teaming Experiments
linkedin
github
@spotheplanet
patreon
What is this?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
offensive security
Red Team Infrastructure
Initial Access
Code Execution
Code & Process Injection
Defense Evasion
Enumeration and Discovery
Privilege Escalation
Credential Access & Dumping
Lateral Movement
Persistence
DLL Proxying for Persistence
T1053: Schtask
T1035: Service Execution
T1015: Sticky Keys
T1136: Create Account
T1013: AddMonitor()
T1128: NetSh Helper DLL
T1084: Abusing Windows Managent Instrumentation
Windows Logon Helper
Hijacking Default File Extension
Persisting in svchost.exe with a Service DLL
Modifying .lnk Shortcuts
T1180: Screensaver Hijack
T1138: Application Shimming
T1197: BITS Jobs
T1122: COM Hijacking
T1198: SIP & Trust Provider Hijacking
T1209: Hijacking Time Providers
T1130: Installing Root Certificate
Powershell Profile Persistence
RID Hijacking
Word Library Add-Ins
Office Templates
Exfiltration
reversing, forensics & misc
Windows Kernel / Internals
Exploring Process Environment Block
ETW: Event Tracing for Windows 101
Parsing PE File Headers with C++
Exploring Injected Threads
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered by GitBook

T1122: COM Hijacking

UAC Bypass/Defense Evasion, Persistence

The Microsoft Component Object Model (COM) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. COM is the foundation technology for Microsoft's OLE (compound documents), ActiveX (Internet-enabled components), as well as others.

In this lab we will execute a file-less UAC bypass technique.

Execution

On the compromised system, change the HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mscfile\shell\open\command default value to point to your binary. In this case I chose powershell.exe:

By default, launching Windows Event Viewer calls under the hood:"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /s

Since we hijacked the HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mscfile\shell\open\command to point to powershell, when launching Even Viewer, the powershell is invoked instead:

Observation

Monitoring registry for changes in HKEY_CLASSES_ROOT\mscfile\shell\open\command can reveal this hijaking activity:

References

Previous
T1197: BITS Jobs
Next
T1198: SIP & Trust Provider Hijacking
Last updated 2 years ago
Contents
Execution
Observation
References