Inter-Process Communication: Component Object Model

Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces.[1] Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE).[2] Remote COM execution is facilitated by Remote Services such as Distributed Component Object Model (DCOM).[1]

Various COM interfaces are exposed that can be abused to invoke arbitrary execution via a variety of programming languages such as C, C++, Java, and Visual Basic.[2] Specific COM objects also exist to directly perform functions beyond code execution, such as creating a Scheduled Task/Job, fileless download/execution, and other adversary behaviors related to privilege escalation and persistence.[1][3]

ID: T1559.001
Sub-technique of:  T1559
Tactic: Execution
Platforms: Windows
Supports Remote:  Yes
Version: 1.1
Created: 12 February 2020
Last Modified: 26 July 2021

Procedure Examples

ID Name Description
S1039 Bumblebee

Bumblebee can use a COM object to execute queries to gather system information.[4]

S1066 DarkTortilla

DarkTortilla has used the WshShortcut COM object to create a .lnk shortcut file in the Windows startup folder.[5]

S1044 FunnyDream

FunnyDream can use com objects identified with CLSID_ShellLink(IShellLink and IPersistFile) and WScript.Shell(RegWrite method) to enable persistence mechanisms.[6]

G0047 Gamaredon Group

Gamaredon Group malware can insert malicious macros into documents using a Microsoft.Office.Interop object.[7]

S0666 Gelsemium

Gelsemium can use the IARPUinstallerStringLauncher COM interface are part of its UAC bypass process.[8]

S0698 HermeticWizard

HermeticWizard can execute files on remote machines using DCOM.[9]

S0260 InvisiMole

InvisiMole can use the ITaskService, ITaskDefinition and ITaskSettings COM interfaces to schedule a task.[10]

S1015 Milan

Milan can use a COM component to generate scheduled tasks.[11]

G0069 MuddyWater

MuddyWater has used malware that has the capability to execute malicious code via COM, DCOM, and Outlook.[12][13][14]

S0691 Neoichor

Neoichor can use the Internet Explorer (IE) COM interface to connect and receive commands from C2.[15]

S0223 POWERSTATS

POWERSTATS can use DCOM (targeting the 127.0.0.1 loopback address) to execute additional payloads on compromised hosts.[16]

S0458 Ramsay

Ramsay can use the Windows COM API to schedule tasks and maintain persistence.[17]

S0266 TrickBot

TrickBot used COM to setup scheduled task for persistence.[18]

S0386 Ursnif

Ursnif droppers have used COM objects to execute the malware's full executable payload.[19]

Mitigations

ID Mitigation Description
M1048 Application Isolation and Sandboxing

Ensure all COM alerts and Protected View are enabled.[20]

M1026 Privileged Account Management

Modify Registry settings (directly or using Dcomcnfg.exe) in HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AppID_GUID} associated with the process-wide security of individual COM applications.[21]

Modify Registry settings (directly or using Dcomcnfg.exe) in HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole associated with system-wide security defaults for all COM applications that do no set their own process-wide security.[22] [23]

Detection

ID Data Source Data Component Detects
DS0011 Module Module Load

Monitor for COM objects loading DLLs and other modules not typically associated with the application.[24]

DS0009 Process Process Creation

Monitor for newly executed processes that are associated with COM objects, especially those invoked by a user different than the one currently logged on.

DS0012 Script Script Execution

Monitor for any attempts to enable scripts running on a system would be considered suspicious. Enumeration of COM objects, via Query Registry or PowerShell, may also proceed malicious use.[1][24]

References