The Windows Registry contains a set of keys which enable the system to map a CLSID to the underlying code implementation (in a DLL or EXE) and thus create the object.
Although they are typically instantiated in the address space of the calling process, there is support for running them out-of-process with inter-process communication proxying the invocation, and even remotely from machine to machine. Since COM is a binary interoperability standard, COM objects are designed to be implemented and consumed from different languages. Some CLSIDs also have human-readable text equivalents called a ProgID. When a GUID is used to identify a COM object, it is a CLSID (class identifier), and when it is used to identify an Interface it is an IID (interface identifier). These 128 bit (16 byte) globally unique identifiers are generically referred to as GUIDs. Every COM object is identified by a unique binary identifier. IUnknown is an interface with 3 methods, which support object lifetime reference counting and discovery of additional interfaces. The term “COM Object” refers to an executable code section which implements one or more interfaces deriving from IUnknown. This can occur within a single process or cross-process, and Distributed COM (DCOM) adds serialization allowing Remote Procedure Calls across the network. COM is the foundation technology for Microsoft's OLE (compound documents), ActiveX (Internet-enabled components), as well as others.”ĬOM was created in the 1990’s as language-independent binary interoperability standard which enables separate code modules to interact with each other. What is a COM Object?Īccording to Microsoft, “The Microsoft Component Object Model (COM) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. Although not security vulnerabilities on their own, usage of these objects can be used to defeat detection based on process behavior and heuristic signatures. Several interesting COM objects were discovered that allow task scheduling, fileless download & execute as well as command execution.
To improve the Red Team practice, FireEye performed research into the available COM objects on Windows 7 and 10 operating systems. Some of these COM objects were also added to the Empire project. COM objects were studied by several other researchers in the past, including Matt Nelson (enigma0x3), who published a blog post about it in 2017. COM objects have recently been used by penetration testers, Red Teams, and malicious actors to perform lateral movement.
0 kommentar(er)
