Skip to content

fix: correct COM hijacking ability to report success (#597)#600

Merged
deacon-mp merged 2 commits intomasterfrom
fix/issue-597-com-hijacking-false-failure
Mar 18, 2026
Merged

fix: correct COM hijacking ability to report success (#597)#600
deacon-mp merged 2 commits intomasterfrom
fix/issue-597-com-hijacking-false-failure

Conversation

@deacon-mp
Copy link
Copy Markdown
Contributor

@deacon-mp deacon-mp commented Mar 16, 2026

Summary

  • Fixes "COM hijacking via TreatAs" Ability returns failed even though it completes successfully #597 — "COM hijacking via TreatAs" ability falsely reports failure despite completing successfully
  • Root cause: rundll32.exe -sta "AtomicTest" returns a non-zero exit code, which Caldera interprets as a failed ability
  • Fix: launch rundll32.exe via Start-Process so its exit code does not propagate to the PowerShell pipeline, and emit an explicit success message with Write-Host
  • Also adds a proper cleanup block to remove all registry keys created by the ability

Test plan

  • Run the "COM hijacking via TreatAs" ability on an elevated Windows agent
  • Verify Caldera reports success when registry keys are set and rundll32 executes
  • Verify cleanup removes all created registry keys

@deacon-mp
fix: correct COM hijacking ability to report success (#597)
5571920 
The "COM hijacking via TreatAs" ability was reporting failure despite
completing successfully. The root cause was that rundll32.exe returns a
non-zero exit code which Caldera interprets as failure.

Fix: use Start-Process to launch rundll32.exe asynchronously so its exit
code does not affect the PowerShell pipeline, and emit an explicit
success message via Write-Host. Also add a cleanup block to remove the
registry keys created by the ability.
@deacon-mp deacon-mp mentioned this pull request Mar 16, 2026
Closed
@deacon-mp deacon-mp requested a review from Copilot March 16, 2026 13:34
Copilot AI reviewed Mar 16, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes Caldera ability reporting for the “COM hijacking via TreatAs” persistence technique so it doesn’t incorrectly report failure when the underlying rundll32.exe -sta invocation returns a non-zero exit code, and adds cleanup for created registry keys.

Changes:

  • Switches the rundll32.exe invocation to Start-Process to avoid propagating rundll32’s exit code to the PowerShell pipeline.
  • Emits an explicit “completed successfully” message after launching the process.
  • Adds a cleanup block to delete registry keys created by the ability.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

data/abilities/persistence/38400f50-9333-4c3e-9764-56380252e4b4.yml Outdated
Comment on lines +32 to +33
$null = Start-Process -FilePath "rundll32.exe" -ArgumentList '-sta "AtomicTest"' -PassThru -ErrorAction SilentlyContinue;
Write-Host "COM hijacking via TreatAs completed successfully"
data/abilities/persistence/38400f50-9333-4c3e-9764-56380252e4b4.yml Outdated
technique:
attack_id: T1546.015
name: 'Event Triggered Execution: Component Object Model Hijacking'
privilege: Elevated
data/abilities/persistence/38400f50-9333-4c3e-9764-56380252e4b4.yml Outdated
reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest.1.00\CLSID" /ve /T REG_SZ /d "{00000001-0000-0000-0000-0000FEEDACDC}" /f;
reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}" /f;
reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}" /ve /T REG_SZ /d "AtomicTest" /f;
reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32" /ve /T REG_SZ /d "C:\WINDOWS\system32\scrobj.dll" /f;
data/abilities/persistence/38400f50-9333-4c3e-9764-56380252e4b4.yml Outdated
reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\VersionIndependentProgID" /ve /T REG_SZ /d "AtomicTest" /f;
reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}" /f;
reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}\TreatAs" /ve /T REG_SZ /d "{00000001-0000-0000-0000-0000FEEDACDC}" /f;
$null = Start-Process -FilePath "rundll32.exe" -ArgumentList '-sta "AtomicTest"' -PassThru -ErrorAction SilentlyContinue;
@deacon-mp
Address Copilot review feedback on COM hijacking ability
ab04fa5 
- Remove privilege: Elevated since HKCU registry writes do not require elevation
- Replace C:\WINDOWS\system32\scrobj.dll with $env:WINDIR\System32\scrobj.dll
- Replace rundll32.exe with $env:WINDIR\System32\rundll32.exe
- Check Start-Process return value before emitting unconditional success message
Copy link
Copy Markdown

Copilot AI commented Mar 18, 2026

@deacon-mp I've opened a new pull request, #609, to work on those changes. Once the pull request is ready, I'll request review from you.

Copilot AI mentioned this pull request Mar 18, 2026
Closed
@deacon-mp deacon-mp merged commit c7d39a9 into master Mar 18, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

"COM hijacking via TreatAs" Ability returns failed even though it completes successfully

3 participants

@deacon-mp