COM Hijacking Techniques

Presented at DerbyCon 9.0 Finish Line (2019), Sept. 7, 2019, 10 a.m. (45 minutes)

The COM interface lies at the core of Windows, and subtle registry changes can interfere with this the OS in unexpected ways. COM hijacking allows an attacker to load a library into a calling COM-enabled process. It’s a feature, not a bug. While it is commonly used for persistence, some famous COM hijacks have led to more severe exploits. COM hijacking is already used by several families of malware, and it’s time that pentesters caught up on how to abuse this feature. This presentation will cover COM hijacking from start to finish; showing how discover hijackable COM objects, how to use them offensively, and how to make the calling process remain stable. The blue team will not be forgotten; the talk will cover detection strategies for identifying and defending against COM hijacks.

Presenters:

• David Tulis
  David Tulis (@kafkaesqu3) is a senior security consultant at NCC Group, where he specializes in adversary simulations, red teams, and network penetration tests. He is most comfortable operating in Windows and Active Directory environments, but always enjoys the challenge of developing new techniques, and learning how to hack new and exciting things.

Links:

• https://infocon.org/cons/DerbyCon/DerbyCon 9 2019/COM Hijacking Techniques David Tulis.mp4
• https://infocon.org/cons/DerbyCon/DerbyCon 9 2019/COM Hijacking Techniques David Tulis.eng.srt (subtitles)
• https://www.youtube.com/watch?v=pH14BvUiTLY

Similar Presentations:

• Black Hat USA 2016 / The Beast Within - Evading Dynamic Malware Analysis Using Microsoft COM
• TROOPERS17 (2017) / Demystifying COM
• Wild West Hackin' Fest 2017 / Windows Operating System Archaeology