Session
COM Hijacking Voodoo: Tradecraft, Detection Blind Spots, and the COM-Hunter
Component Object Model (COM) is one of the most pervasive yet overlooked subsystems in Windows. Thousands of applications rely on COM objects for functionality, but the underlying registration mechanism creates opportunities for attackers to abuse the Windows registry to achieve stealthy persistence and code execution. Despite being used in real-world intrusions, COM hijacking remains under-documented and poorly understood by many defenders.
This talk explores the internals of COM registration and activation and demonstrates how attackers abuse registry-based class registrations, InprocServer32 entries, and per-user overrides to hijack legitimate COM objects. We will analyze common hijacking patterns, explain why many of them evade traditional detection logic, and highlight the operational advantages they offer during post-exploitation and persistence phases.
To help security professionals systematically identify these opportunities, this presentation introduces COM-Hunter, a research tool designed to enumerate and analyze hijackable COM objects across Windows systems. COM-Hunter maps CLSID registrations, identifies missing or user-overridable components, and highlights potential hijacking vectors that can be leveraged during red team engagements or security research.
Through practical demonstrations, we will show how COM-Hunter can be used to uncover previously overlooked hijack paths and how red teamers can turn these findings into reliable persistence mechanisms. The talk also discusses defensive considerations, including detection strategies, telemetry sources, and ways organizations can reduce the attack surface created by vulnerable COM registrations.
Attendees will leave with a deeper understanding of COM hijacking internals, practical offensive techniques, and a methodology for discovering new hijack opportunities in modern Windows environments.
Nikos Vourdas
Senior Offensive Security Consultant
Chicago, Illinois, United States
Links
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top