Blue teams need to expand their monitoring beyond the traditional persistence techniques. Adversaries are moving more into stealthier techniques, imagine if the user opens "My Documents," then the adversary's malicious code will be executed! It's all about abusing the Component Object Model (COM).
The Component Object Model (COM) is a software development architecture that helps in building software's by combining a set of binary/compiled software components, such a model helps in separating the development of the components across the teams and expands the code reusability concept.
Creating a Simple COM Component
One of the easy ways to create a COM component is by using a scriptlet file, which is an Extensible Markup Language (XML) file that contains:
- The component code written using a scripting language.
- The component registration details, which includes the component name and a globally unique identifier called Class ID (CLSID), which will be used to identify the component.
The following is an example of a simple component to perform the mathematical sum operation:
Regsvr32 registering the COM component
The registration details will be stored under the following Windows registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\ with the component class ID as a subkey:
The registry entries that will be created after registering the COM scriptlet
Using the Created Component
There are several ways to instantiate COM components. The following example shows how to use our component from PowerShell.