ITSEC Newsletter 2025-05-15

Whether you're a security researcher, a system administrator, or a penetration tester, understanding COM/DCOM abuse is critical to protecting Windows environments from advanced attack techniques. In this blog post, I'd like to dive into the world of some of the recently published potato techniques that can lead to more serious risks than "just" local Privilege Escalation. I’ll show how and more importantly when and which potato is the key to the kingdom, or at least to the next door. We will also take a look at what each tool requires and what system administrators can do to prevent these types of attacks in their environment.

Jared Atkinson, Chief Strategist at SpecterOps and prolific writer on security strategy, recently introduced the very useful concept of Execution Modality to help us reason about malware techniques, and how to robustly detect them. In short, Execution Modality describes how a malicious behaviour is executed, rather than simply defining what the behaviour does. For example, the behaviour of interest might be Windows service creation, and the modality might be either a system utility (such as sc.exe), a PowerShell script, or shellcode that uses indirect syscalls to directly write to the service configuration in the Windows Registry. Atkinson outlined that if your goal is to detect a specific technique, you want to ensure that your collection is as close as possible to the operating system’s source of truth and eliminate any modality assumptions.