The Problem In 2019 I wrote about Registration-Free COM loading as a way for operators to avoid registry writes and sidestep the LoadLibrary + GetProcAddress combo that EDRs flag. The core technique holds up, but the detection story was incomplete in ways that matter operationally. This post rebuilds the topic from the ground up, corrects those gaps, and introduces three progressive loading variants that span the tradeoff space between simplicity and forensic stealth.

Loading newly developed COM objects normally require registering them first in the Windows registry. This is no bueno for the offense. This post sheds some light on the process of Registration-Free COM loading. Then we walk through evading detection of LoadLibraryA GetProcAddress combo by bouncing off of Windows COM Runtime for re-entering the execution.

Recently, I have been thinking about alternate means of transferring content to and from enterprises in the presence of network inspection technology, like host based DLP and AVs.

So I looked into what Hyper-V Virtual Drives (VHDX) could offer in terms of packaging and whether they could be used as an alternative to something like a TAR/ZIP archives, and how the defensive tech interfaces with them on a Windows machine.