Ferrum

Ferrum is a security research tool for Windows, written in Go and compiled into a single executable file. It is aimed at people who audit Windows systems for vulnerabilities, specifically looking at weaknesses that could allow a low-privileged user to gain higher privileges, maintain persistence after a reboot, or hijack Windows components through a mechanism called COM (Component Object Model).

The tool follows a modular design. Each research capability is packaged as a module, and new modules can be added by implementing a small interface and registering with the core. Running the tool with specific flags runs individual modules; running it with the flag that targets all modules produces a separate report file for each one. Output can be written to a named file or folder, or the tool creates a timestamped folder automatically.

One of the documented modules focuses on COM hijacking triage, which is a technique security researchers use to find cases where Windows looks up a COM component in a location a regular user controls, allowing that user to place a malicious file there. The module automates the kind of filtering a researcher would otherwise do manually with a Windows tool called Process Monitor, narrowing down registry lookups that fail and point to locations writable by normal users.

Building Ferrum requires Go and cross-compiles from Linux or macOS as well as from Windows itself. The README is short and the project appears to be at an early or research stage, with the module set still growing. The description lists local privilege escalation, persistence, COM hijacking, and attack surface enumeration as the primary focus areas.