Abusing the COM Registry Structure: CLSID, LocalServer32, & InprocServer32

Vendors are well-known for leaving behind Registry artifacts that attackers could exploit for lateral movement, evasion, bypassing security measures, and maintaining persistence. By examining CLSIDs subkeys, specifically LocalServer32 and InprocServer32, one can identify abandoned binary references. Notably, CLSIDs can be activated using the command: rundll32.exe -sta {CLSID}. To mitigate these risks, it is advisable to clean up artifacts after their removal (for example, by unregistering), monitor for any suspicious activities (such as rundll32.exe usage), and establish strong Application Whitelisting (AWL) policies and rules. Background: In a previous discussion, I covered a lateral movement technique involving DCOM that took advantage of a missing file referenced in a registry Class Identifier (CLSID) subkey-value on Windows 2008/2012 systems. After witnessing the effects of this technique, my interest in the concepts of COM (Component Object Model) and key-value path hijacking grew. Consequently, I decided to revisit CLSIDs, LocalServer32, and InprocServer32 in search of more intriguing insights. In this post, we will explore: The purpose of CLSIDs, LocalServer32, and InprocServer32.