Inter-Process Communication: Component Object Model

Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces.[1] Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE).[2] Remote COM execution is facilitated by Remote Services such as Distributed Component Object Model (DCOM).[1]

Various COM interfaces are exposed that can be abused to invoke arbitrary execution via a variety of programming languages such as C, C++, Java, and Visual Basic.[2] Specific COM objects also exist to directly perform functions beyond code execution, such as creating a Scheduled Task/Job, fileless download/execution, and other adversary behaviors related to privilege escalation and persistence.[1][3]

ID: T1559.001
Sub-technique of:  T1559
Tactic: Execution
Platforms: Windows
Supports Remote:  Yes
Version: 1.1
Created: 12 February 2020
Last Modified: 26 July 2021

Procedure Examples

ID Name Description
G0047 Gamaredon Group

Gamaredon Group malware can insert malicious macros into documents using a Microsoft.Office.Interop object.[4]

S0698 HermeticWizard

HermeticWizard can execute files on remote machines using DCOM.[5]

S0260 InvisiMole

InvisiMole can use the ITaskService, ITaskDefinition and ITaskSettings COM interfaces to schedule a task.[6]

G0069 MuddyWater

MuddyWater has used malware that has the capability to execute malicious code via COM, DCOM, and Outlook.[7][8]

S0691 Neoichor

Neoichor can use the Internet Explorer (IE) COM interface to connect and receive commands from C2.[9]

S0223 POWERSTATS

POWERSTATS can use DCOM (targeting the 127.0.0.1 loopback address) to execute additional payloads on compromised hosts.[10]

S0458 Ramsay

Ramsay can use the Windows COM API to schedule tasks and maintain persistence.[11]

S0266 TrickBot

TrickBot used COM to setup scheduled task for persistence.[12]

S0386 Ursnif

Ursnif droppers have used COM objects to execute the malware's full executable payload.[13]

Mitigations

ID Mitigation Description
M1048 Application Isolation and Sandboxing

Ensure all COM alerts and Protected View are enabled.[14]

M1026 Privileged Account Management

Modify Registry settings (directly or using Dcomcnfg.exe) in HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{{AppID_GUID}} associated with the process-wide security of individual COM applications.[15]

Modify Registry settings (directly or using Dcomcnfg.exe) in HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole associated with system-wide security defaults for all COM applications that do no set their own process-wide security.[16] [17]

Detection

ID Data Source Data Component
DS0011 Module Module Load
DS0009 Process Process Creation
DS0012 Script Script Execution

Monitor for COM objects loading DLLs and other modules not typically associated with the application.[18] Enumeration of COM objects, via Query Registry or PowerShell, may also proceed malicious use.[1][19]

Monitor for spawning of processes associated with COM objects, especially those invoked by a user different than the one currently logged on.

References