Inter-Process Communication: Component Object Model

ID Name
T1559.001 Component Object Model
T1559.002 Dynamic Data Exchange

Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces.[1] Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE).[2]

Various COM interfaces are exposed that can be abused to invoke arbitrary execution via a variety of programming languages such as C, C++, Java, and Visual Basic.[2] Specific COM objects also exist to directly perform functions beyond code execution, such as creating a Scheduled Task/Job, fileless download/execution, and other adversary behaviors related to privilege escalation and persistence.[1][3]

ID: T1559.001
Sub-technique of:  T1559
Tactic: Execution
Platforms: Windows
Data Sources: Module: Module Load, Process: Process Creation, Script: Script Execution
Version: 1.0
Created: 12 February 2020
Last Modified: 28 March 2020

Procedure Examples

ID Name Description
G0047 Gamaredon Group

Gamaredon Group malware can insert malicious macros into documents using a Microsoft.Office.Interop object.[4]

S0260 InvisiMole

InvisiMole can use the ITaskService, ITaskDefinition and ITaskSettings COM interfaces to schedule a task.[5]

G0069 MuddyWater

MuddyWater has used malware that has the capability to execute malicious code via COM, DCOM, and Outlook.[6][7]


POWERSTATS can use DCOM (targeting the loopback address) to execute additional payloads on compromised hosts.[8]

S0458 Ramsay

Ramsay can use the Windows COM API to schedule tasks and maintain persistence.[9]

S0266 TrickBot

TrickBot used COM to setup scheduled task for persistence.[10]

S0386 Ursnif

Ursnif droppers have used COM objects to execute the malware's full executable payload.[11]


ID Mitigation Description
M1048 Application Isolation and Sandboxing

Ensure all COM alerts and Protected View are enabled.[12]

M1026 Privileged Account Management

Modify Registry settings (directly or using Dcomcnfg.exe) in HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{{AppID_GUID}} associated with the process-wide security of individual COM applications.[13]

Modify Registry settings (directly or using Dcomcnfg.exe) in HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole associated with system-wide security defaults for all COM applications that do no set their own process-wide security.[14] [15]


Monitor for COM objects loading DLLs and other modules not typically associated with the application.[16] Enumeration of COM objects, via Query Registry or PowerShell, may also proceed malicious use.[1][17]

Monitor for spawning of processes associated with COM objects, especially those invoked by a user different than the one currently logged on.