Have you ever played LEGO? No, well you should.

Component Object Model (COM) is like the booklet that ships with LEGO that describes how to connect pieces together to make some cool stuff. The LEGO booklet doesn’t care who made the LEGO or how old your LEGO is, as long as you follow the booklet you will be able to build LEGO models.

                                      Join 100 Days of Red Team on WhatsApp.

Similarly, COM doesn’t care which language you use or how you structure your application, as long as you build objects using COM standard, they will be able to interact with each other. COM enables components that can be written in any language (well, as long as the language can create structures of pointers and, either explicitly or implicitly, call functions through pointers) to interact with each other as objects.

You can refer to this documentation from Microsoft for a deep-dive on COM.

How can red teams use COM to their advantage?

In a Windows computer, there are many COM objects — tiny helpers that different programs use to talk to each other. When a program wants to use one of these helpers, it asks Windows, "Where can I find it?" Windows then checks a list in the Registry to find the correct location of the helper.

Red Team Notes
+ Registries that store COM object information:
  - HKEY_CLASSES_ROOT\CLSID
  - HKEY_CLASSES_ROOT\TypeLib
  - HKEY_CLASSES_ROOT\Interface
  - HKEY_CLASSES_ROOT\AppID
Reference Source

+ Administrator privileges are not required to abuse COM.

A red team operator can replace the path of a helper in the Registry with their own "fake helper" (a malicious COM object). This enables the red team operator to execute code of their own choice on the target host. This access can then be used for persistence, defense evasion, lateral movement and privilege escalation (in some cases). If you want to learn about COM Hijacking in real-world attacks, read this documentation of COM Hijacking by MITRE.

Follow my journey of 100 Days of Red Team on WhatsApp or Discord.