acCOMplice: Tools for discovery and abuse of COM hijacks

acCOMplice

Your COM hijacking accomplice

This repository contains code samples and proofs-of-concept for exploring COM hijacking. COM hijacking is a Windows post-exploitation technique, which can be used for persistence or defense evasion.

For more information on the COM interface, how to find hijacks and techniques for abusing a hijack, please refer to the presentation given at Derbycon 9, COM Hijacking Techniques.

Project

• COMHijackToolkit: Powershell script containing helper scripts for dealing with COM hijacks. Quick highlights:
  • Extract-HijackableKeysFromProcmonCSV: parses a Procmon CSV export for hijackable objects
  • Hijack-CLSID: Hijacks a CLSID with a given DLL
  • Hijack-MultipleKeys: Hijacks multiple CLSDs concurrently with a given DLL. This is useful for finding CLSIDs which are activated often
• InjectionTemplates: 3 templates demoed at Derbycon presentation
  • Create a new process with CreateProcess
  • Inject into an existing process with CreateRemoteThread
  • Measure thread lifetimes in the current process using CreateThread
• COMinject: Proof of concept demonstrating how COM hijacks can be used to accomplish process injections/migrations
• masterkeys.csv: Some keys for you to play with
• procmon-filters: Filters for Procmon to aid in hijack identification and exploitation

Download && Use

Copyright (c) 2019, NCC Group
All rights reserved.