1. Home
  2. Techniques
  3. Enterprise
  4. Inter-Process Communication
  5. Component Object Model

Inter-Process Communication: Component Object Model

ID Name
T1559.001 Component Object Model
T1559.002 Dynamic Data Exchange
T1559.003 XPC Services

Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces.[1] Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE).[2] Remote COM execution is facilitated by Remote Services such as Distributed Component Object Model (DCOM).[1]

Various COM interfaces are exposed that can be abused to invoke arbitrary execution via a variety of programming languages such as C, C++, Java, and Visual Basic.[2] Specific COM objects also exist to directly perform functions beyond code execution, such as creating a Scheduled Task/Job, fileless download/execution, and other adversary behaviors related to privilege escalation and persistence.[1][3]

ID: T1559.001
Sub-technique of:  T1559
Tactic: Execution
Platforms: Windows
Version: 1.2
Created: 12 February 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S1039 Bumblebee

Bumblebee can use a COM object to execute queries to gather system information.[4]
S1236 CLAIMLOADER

CLAIMLOADER has leveraged Component Object Model (COM) objects to create a scheduled task using ITaskService interface.[5]
S1066 DarkTortilla

DarkTortilla has used the WshShortcut COM object to create a .lnk shortcut file in the Windows startup folder.[6]
S1044 FunnyDream

FunnyDream can use com objects identified with CLSID_ShellLink(IShellLink and IPersistFile) and WScript.Shell(RegWrite method) to enable persistence mechanisms.[7]
G0047 Gamaredon Group

Gamaredon Group malware can insert malicious macros into documents using a Microsoft.Office.Interop object.[8][9]

S0666 Gelsemium

Gelsemium can use the IARPUinstallerStringLauncher COM interface are part of its UAC bypass process.[10]
S0698 HermeticWizard

HermeticWizard can execute files on remote machines using DCOM.[11]
S0260 InvisiMole

InvisiMole can use the ITaskService, ITaskDefinition and ITaskSettings COM interfaces to schedule a task.[12]
S1160 Latrodectus

Latrodectus can use the Windows Component Object Model (COM) to set scheduled tasks.[13][14]
G1051 Medusa Group

Medusa Group has leveraged Component Object Model (COM) to bypass UAC.[15]
S1015 Milan

Milan can use a COM component to generate scheduled tasks.[16]
G0069 MuddyWater

MuddyWater has used malware that has the capability to execute malicious code via COM, DCOM, and Outlook.[17][18][19]
S0691 Neoichor

Neoichor can use the Internet Explorer (IE) COM interface to connect and receive commands from C2.[20]
S0223 POWERSTATS

POWERSTATS can use DCOM (targeting the 127.0.0.1 loopback address) to execute additional payloads on compromised hosts.[21]
S0458 Ramsay

Ramsay can use the Windows COM API to schedule tasks and maintain persistence.[22]
S1130 Raspberry Robin

Raspberry Robin creates an elevated COM object for CMLuaUtil and uses this to set a registry value that points to the malicious LNK file during execution.[23]
S0692 SILENTTRINITY

SILENTTRINITY can insert malicious shellcode into Excel.exe using a Microsoft.Office.Interop object.[24]

S1238 STATICPLUGIN

STATICPLUGIN has utilized Windows COM Installer Object to download an MSI package containing files masqueraded as a BMP file.[25]
S0266 TrickBot

TrickBot used COM to setup scheduled task for persistence.[26]
S0386 Ursnif

Ursnif droppers have used COM objects to execute the malware's full executable payload.[27]

Mitigations

ID Mitigation Description
M1048 Application Isolation and Sandboxing

Ensure all COM alerts and Protected View are enabled.[28]
M1026 Privileged Account Management

Modify Registry settings (directly or using Dcomcnfg.exe) in HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AppID_GUID} associated with the process-wide security of individual COM applications.[29]

Modify Registry settings (directly or using Dcomcnfg.exe) in HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole associated with system-wide security defaults for all COM applications that do no set their own process-wide security.[30] [31]

Detection Strategy

ID Name Analytic ID Analytic Description
DET0224 Detect Abuse of Component Object Model (T1559.001) AN0628

Detects anomalous use of COM objects for execution, such as Office applications spawning scripting engines, enumeration of COM interfaces via registry queries, or processes loading atypical DLLs through COM activation. Correlates process creation, module loads, and registry queries to flag suspicious COM-based code execution or persistence.

References

  1. Hamilton, C. (2019, June 4). Hunting COM Objects. Retrieved June 10, 2019.
  2. Microsoft. (n.d.). Component Object Model (COM). Retrieved November 22, 2017.
  3. Forshaw, J. (2018, April 18). Windows Exploitation Tricks: Exploiting Arbitrary File Writes for Local Elevation of Privilege. Retrieved May 3, 2018.
  4. Merriman, K. and Trouerbach, P. (2022, April 28). This isn't Optimus Prime's Bumblebee but it's Still Transforming. Retrieved August 22, 2022.
  5. Golo Muhr, Joshua Chung. (2025, May 15). Hive0154 targeting US, Philippines, Pakistan and Taiwan in suspected espionage campaign. Retrieved August 4, 2025.
  6. Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022.
  7. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
  8. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
  9. Rusnák, Z. (2024, September 26). Cyberespionage the Gamaredon way: Analysis of toolset used to spy on Ukraine in 2022 and 2023. Retrieved October 30, 2024.
  10. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
  11. ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022.
  12. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
  13. Stepanic, D. and Bousseaden, S. (2024, May 15). Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID. Retrieved September 13, 2024.
  14. Batista, J. (2024, June 17). Latrodectus, are you coming back?. Retrieved September 13, 2024.
  15. Intel471. (2025, May 14). Threat hunting case study: Medusa ransomware. Retrieved October 15, 2025.
  16. ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022.
  1. Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.
  2. ClearSky. (2019, June). Iranian APT group ‘MuddyWater’ Adds Exploits to Their Arsenal. Retrieved May 14, 2020.
  3. FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.
  4. MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022.
  5. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  6. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020.
  7. Christopher So. (2022, December 20). Raspberry Robin Malware Targets Telecom, Governments. Retrieved May 17, 2024.
  8. byt3bl33d3r. (n.d.). SILENTTRINITY. Retrieved September 12, 2024.
  9. Patrick Whitsell. (2025, August 25). Deception in Depth: PRC-Nexus Espionage Campaign Hijacks Web Traffic to Target Diplomats. Retrieved September 9, 2025.
  10. Boutin, J. (2020, October 12). ESET takes part in global operation to disrupt Trickbot. Retrieved March 15, 2021.
  11. Holland, A. (2019, March 7). Tricks and COMfoolery: How Ursnif Evades Detection. Retrieved June 10, 2019.
  12. Microsoft. (n.d.). What is Protected View?. Retrieved November 22, 2017.
  13. Microsoft. (n.d.). Setting Process-Wide Security Through the Registry. Retrieved November 21, 2017.
  14. Microsoft. (n.d.). Registry Values for System-Wide Security. Retrieved November 21, 2017.
  15. Microsoft. (n.d.). DCOM Security Enhancements in Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1. Retrieved November 22, 2017.