> For the complete documentation index, see [llms.txt](https://www.ired.team/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.ired.team/offensive-security/persistence/t1122-com-hijacking.md).

# COM Hijacking

> The Microsoft Component Object Model (COM) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. COM is the foundation technology for Microsoft's OLE (compound documents), ActiveX (Internet-enabled components), as well as others.

In this lab we will execute a file-less UAC bypass technique.

## Execution

On the compromised system, change the `HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mscfile\shell\open\command` default value to point to your binary. In this case I chose powershell.exe:

![](/files/-LINFHGZZudq8oSy-ATH)

By default, launching Windows Event Viewer calls under the hood:`"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /s`&#x20;

Since we hijacked the `HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mscfile\shell\open\command` to point to powershell, when launching Even Viewer, the powershell is invoked instead:

![](/files/-LINFKm5JXi-FDfE6Zes)

## Observation

Monitoring registry for changes in `HKEY_CLASSES_ROOT\mscfile\shell\open\command` can reveal this hijaking activity:

![](/files/-LINFMIYIp6TK-GCtoyK)

## References

{% embed url="<https://attack.mitre.org/wiki/Technique/T1122>" %}

{% embed url="<https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/>" %}

{% embed url="<https://www.greyhathacker.net/?p=796>" %}

{% embed url="<http://www.fuzzysecurity.com/tutorials/27.html>" %}
