COM Hijacking Techniques

DerbyCon 9.0 - Finish Line

Presented by: David Tulis
Date: Saturday September 07, 2019
Time: 10:00 - 10:45
Location: Track 3

The COM interface lies at the core of Windows, and subtle registry changes can interfere with this the OS in unexpected ways. COM hijacking allows an attacker to load a library into a calling COM-enabled process. It’s a feature, not a bug. While it is commonly used for persistence, some famous COM hijacks have led to more severe exploits. COM hijacking is already used by several families of malware, and it’s time that pentesters caught up on how to abuse this feature. This presentation will cover COM hijacking from start to finish; showing how discover hijackable COM objects, how to use them offensively, and how to make the calling process remain stable. The blue team will not be forgotten; the talk will cover detection strategies for identifying and defending against COM hijacks.

David Tulis

David Tulis (@kafkaesqu3) is a senior security consultant at NCC Group, where he specializes in adversary simulations, red teams, and network penetration tests. He is most comfortable operating in Windows and Active Directory environments, but always enjoys the challenge of developing new techniques, and learning how to hack new and exciting things.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats