Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/nickvourd/com-hunter

COM Hijacking VOODOO
https://github.com/nickvourd/com-hunter

com comhijacking csharp microsoft persistence tool windows

Last synced: about 20 hours ago
JSON representation

COM Hijacking VOODOO

Host: GitHub
URL: https://github.com/nickvourd/com-hunter
Owner: nickvourd
License: mit
Created: 2022-05-26T19:34:59.000Z (over 2 years ago)
Default Branch: main
Last Pushed: 2023-09-06T09:48:55.000Z (about 1 year ago)
Last Synced: 2023-11-07T17:33:41.578Z (about 1 year ago)
Topics: com, comhijacking, csharp, microsoft, persistence, tool, windows
Language: C#
Homepage:
Size: 47.9 KB
Stars: 217
Watchers: 2
Forks: 39
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# COM-Hunter
COM Hijacking VOODOO

COM-hunter is a COM Hijacking persistnce tool written in C#.

This tool was inspired during the [RTO course](https://courses.zeropointsecurity.co.uk/courses/red-team-ops) of [@zeropointsecltd](https://twitter.com/zeropointsecltd)

## Features

- Finds out entry valid CLSIDs in the victim's machine.
- Finds out valid CLSIDs via Task Scheduler in the victim's machine.
- Finds out if someone already used any of those valid CLSIDs in order to do COM persistence (LocalServer32/InprocServer32).
- Finds out if someone already used any of valid CLSID via Task Scheduler in order to do COM persistence (LocalServer32/InprocServer32).
- Tries to do automatically COM Hijacking Persistence with general valid CLSIDs (LocalServer32/InprocServer32).
- Tries to do automatically COM Hijacking Persistence via Task Scheduler.
- Tries to use "TreatAs" key in order to refere to a different component.

## Special Thanks
- [@dimtsikopoulos](https://twitter.com/dimtsikopoulos)
- [@0xvm](https://twitter.com/0xvm)

## License
Copyright (c) 2022 Nikos Vourdas

Under the [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)

## .NET Framework
### 4.8

## Usage

```
[+] Usage:

.\COM-Hunter.exe

-> General Options:
-h, --help Shows help and exits.
-v, --version Shows current version and exits.
-a, --about Shows info, credits about the tool and exits.

-> Modes:
Search Search Mode
Persist Persist Mode

-> Search Mode:
Get-Entry Searches for valid CLSIDs entries.
Get-Tasksch Searches for valid CLSIDs entries via Task Scheduler.
Find-Persist Searches if someone already used a valid CLSID (Defence).
Find-Tasksch Searches if someone already used a valid CLSID via Task Scheduler (Defence).

-> Persist Mode:
General Uses General method to apply COM Hijacking Persistence in Registry.
Tasksch Try to do COM Hijacking Persistence via Task Scheduler.
TreatAs Uses TreatAs Registry key to apply COM Hijacking Persistence in Registry.

-> General Usage:
.\COM-Hunter.exe Persist General

-> Tasksch Usage:
.\COM-Hunter.exe Persist Tasksch

-> TreatAs Usage:
.\COM-Hunter.exe Persist TreatAs
```

## Example Usages
- Get-Entry (Search Mode):

```
.\COM-Hunter.exe Search Get-Entry
```
- Find-Persist (Search Mode):

```
.\COM-Hunter.exe Search Find-Persist
```

- General (Persist Mode):

```
.\COM-Hunter.exe Persist General 'HKCU:Software\Classes\CLSID\...' C:\Users\nickvourd\Desktop\beacon.dll
```

- Tasksch (Persist Mode):

```
.\COM-Hunter.exe Persist Tasksch C:\Users\nickvourd\Desktop\beacon.dll
```

## Example Format Valid CLSIDs

```
Software\Classes\CLSID\...
```
```
HKCU:Software\Classes\CLSID\...
```
```
HKCU:\Software\Classes\CLSID\...
```
```
HKCU\Software\Classes\CLSID\...
```
```
HKEY_CURRENT_USER:Software\Classes\CLSID\...
```
```
HKEY_CURRENT_USER:\Software\Classes\CLSID\...
```
```
HKEY_CURRENT_USER\Software\Classes\CLSID\...
```