Shebin Mathew
Security Consultant
Shebin Mathew is a Security Researcher and Consultant with extensive experience in Red Teaming, focusing on execution and initial compromises. He holds several certifications, including OSCP, OSWP, CARTP, GRID, GICSP, CRT, CPSA, CCNA, and MCSA. Currently, he serves as a Red Teaming Consultant for top-tier organization Google/Mandiant.
Beyond his professional work, Shebin actively engages with the cybersecurity community, offering educational sessions to college students. He is committed to sharing his expertise and insights, making significant contributions both professionally and within the community.
talks & Q&A
Bring Your Own COM Session – Pivoting and Lateral Movement via Ephemeral COM Registration
Description:
Modern EDR solutions trust process lineage — and that trust is the attack surface.
This talk introduces "Bring Your Own COM" (BYOC), a novel post-exploitation primitive that generates a random COM identity
at runtime, forces the Windows DCOM Service Control Manager to spawn dllhost.exe as an unwitting execution proxy, and erases every registry artefact within milliseconds. No pre-existing COM object is required. No stable CLSID exists to blocklist.
Every execution looks different.
BYOC achieves two concrete offensive objectives simultaneously: cross-session token theft and lateral movement — pivoting into a targeted user's active desktop session without CreateProcess, without spawning a shell, and without any attacker process appearing in the victim session tree — and agentless remote lateral movement, executing a payload on a remote host entirely within dllhost.exe memory space, leaving no logon artefact and no attacker-owned process visible on the target.
