Enumerating COM Objects and their Methods

This is a quick note to capture some of the commands for finding interesting COM objects and the methods they expose, based on the great article from Fireeye:

The Microsoft Component Object Model (COM) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact
https://docs.microsoft.com/en-us/windows/win32/com/the-component-object-model

This is less of a post-exploitation technique, rather a method that allows one to look for interesting COM objects that could be leveraged by one's malware.

Enumerating COM Objects

We can find all the COM objects registered on the Windows system with:

PowerShell

gwmi Win32_COMSetting | ? {$_.progid } | sort | ft ProgId,Caption,InprocServer32

Enumerating COM Object Methods

Once we have the list of COM objects and have identified an interesting COM object, we can check the methods it exposes. In this example, use the COM object WScript.Shell.1 and check its methods like so:

PowerShell

$o = [activator]::CreateInstance([type]::GetTypeFromProgID(("WScript.Shell.1"))) | gm

Below are the methods exposed by WScript.Shell.1 COM object, one of which is RegRead:

RegRead accepts one string as an argument — a path to the registry value. Example:

PowerShell

$o.RegRead("HKEY_CURRENT_USER\Volatile Environment\LOGONSERVER")

Below shows how a registry value was read successfully:

Exposing All COM Object Methods

You can iterate through all the COM objects, list their methods, and save everything to a text file for later inspection:

PowerShell

$com = gwmi Win32_COMSetting | ? {$_.progid } | select ProgId,Caption,InprocServer32

$com | % {
    $_.progid | out-file -append methods.txt
    [activator]::CreateInstance([type]::GetTypeFromProgID(($_.progid))) | gm | out-file -append methods.txt
    "`n`n" | out-file -append methods.txt
}

The output file will contain all the methods of all COM objects exposed. In the example output, methods for Shell.Application.1 are in focus: