Inter-Process Communication: Component Object Model

ID Name
T1559.001 Component Object Model
T1559.002 Dynamic Data Exchange

Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces.[1] Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE).[2]

Various COM interfaces are exposed that can be abused to invoke arbitrary execution via a variety of programming languages such as C, C++, Java, and Visual Basic.[2] Specific COM objects also exist to directly perform functions beyond code execution, such as creating a Scheduled Task/Job, fileless download/execution, and other adversary behaviors related to privilege escalation and persistence.[1][3]

ID: T1559.001
Sub-technique of:  T1559
Tactic: Execution
Platforms: Windows
Data Sources: DLL monitoring, Process monitoring
Version: 1.0
Created: 12 February 2020
Last Modified: 28 March 2020

Procedure Examples

Name Description
Gamaredon Group

Gamaredon Group malware can insert malicious macros into documents using a Microsoft.Office.Interop object.[4]

InvisiMole

InvisiMole can use the ITaskService, ITaskDefinition and ITaskSettings COM interfaces to schedule a task.[5]

MuddyWater

MuddyWater has used malware that has the capability to execute malicious code via COM, DCOM, and Outlook.[6][7]

POWERSTATS

POWERSTATS can use DCOM (targeting the 127.0.0.1 loopback address) to execute additional payloads on compromised hosts.[8]

Ursnif

Ursnif droppers have used COM objects to execute the malware's full executable payload.[9]

Mitigations

Mitigation Description
Application Isolation and Sandboxing

Ensure all COM alerts and Protected View are enabled.[10]

Privileged Account Management

Modify Registry settings (directly or using Dcomcnfg.exe) in HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{{AppID_GUID}} associated with the process-wide security of individual COM applications.[11]

Modify Registry settings (directly or using Dcomcnfg.exe) in HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole associated with system-wide security defaults for all COM applications that do no set their own process-wide security.[12] [13]

Detection

Monitor for COM objects loading DLLs and other modules not typically associated with the application.[14] Enumeration of COM objects, via Query Registry or PowerShell, may also proceed malicious use.[1][15]

Monitor for spawning of processes associated with COM objects, especially those invoked by a user different than the one currently logged on.

References