Detects anomalous use of COM objects for execution, such as Office applications spawning scripting engines, enumeration of COM interfaces via registry queries, or processes loading atypical DLLs through COM activation. Correlates process creation, module loads, and registry queries to flag suspicious COM-based code execution or persistence.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| Windows Registry Key Access (DC0050) | WinEventLog:Security | EventCode=4656 |
| Field | Description |
|---|---|
| COMObjectAllowList | Legitimate COM CLSIDs and ProgIDs used by enterprise applications, to reduce false positives. |
| ParentProcessExclusions | Expected parent-child process relationships (e.g., explorer.exe spawning dllhost.exe). |
| TimeWindow | Threshold for correlating COM object execution with subsequent process creation or DLL load. |