Component Object Model Hijacking

Information

• Name: Component Object Model Hijacking

• ID: T1546.015

• Tactics: TA0004, TA0003

• Technique: T1546

Introduction

Component Object Model (COM) Hijacking (T1546.015) is a sub-technique of MITRE ATT&CK's "Event Triggered Execution" (T1546). It involves adversaries manipulating COM references and registry entries to redirect legitimate COM object instantiation requests to malicious code. COM is a Microsoft Windows technology that allows software components to communicate and interact. Attackers exploit COM hijacking to execute unauthorized code, maintain persistence, escalate privileges, or evade detection by leveraging legitimate system processes.

Deep Dive Into Technique

COM hijacking is performed by modifying registry keys associated with COM objects. Typically, COM objects are identified by globally unique identifiers (GUIDs), also known as CLSIDs. When a legitimate application or service attempts to instantiate a COM object, Windows consults the registry to locate the object's DLL or executable. By altering these registry entries, attackers redirect the instantiation to malicious binaries, scripts, or DLLs.

Technical details of COM hijacking include:

• Registry Manipulation: Attackers target registry keys under HKEY_CLASSES_ROOT\CLSID\{GUID}\InprocServer32 or LocalServer32, changing the default value to point to malicious payloads.

• DLL Hijacking via COM Objects: Malicious DLLs can be loaded when legitimate COM objects are instantiated. Attackers place malicious DLLs in paths referenced by altered registry entries.

• Persistence and Privilege Escalation: COM hijacking can provide persistent execution as legitimate system processes or applications regularly instantiate COM objects. Attackers may also leverage COM hijacking to escalate privileges by hijacking COM objects instantiated by privileged processes.

• Evasion and Defense Bypass: Since COM objects are frequently instantiated by legitimate system processes, malicious code executed through COM hijacking may evade detection by antivirus and endpoint detection and response (EDR) solutions.

Real-world procedures typically involve:

1. Identifying vulnerable COM objects that are frequently instantiated by system processes.

2. Gaining sufficient privileges to modify registry keys associated with these COM objects.

3. Deploying malicious payloads (DLLs or executables) to locations referenced by altered registry entries.

4. Ensuring persistence by selecting COM objects instantiated at system startup or regularly by scheduled tasks.

When this Technique is Usually Used

Attack scenarios and stages where COM hijacking is typically employed include:

• Persistence: Attackers frequently use COM hijacking to maintain long-term persistence on compromised hosts, as COM objects are instantiated regularly by system processes, scheduled tasks, or user applications.

• Privilege Escalation: Hijacking COM objects instantiated by privileged processes or services can enable attackers to escalate privileges and execute code with higher permissions.

• Defense Evasion: Because COM hijacking leverages legitimate Windows mechanisms and processes, attackers use this technique to evade detection by antivirus and endpoint protection software.

• Execution: Attackers may employ COM hijacking to trigger execution of malicious payloads indirectly via legitimate Windows processes and applications, reducing suspicion and detection likelihood.

• Lateral Movement and Post-Exploitation: After initial access, attackers often use COM hijacking to establish stealthy footholds, facilitate lateral movement, or maintain access to compromised networks.

How this Technique is Usually Detected

Detection methods, tools, and specific indicators of compromise (IoCs) for COM hijacking include:

• Registry Monitoring: Monitor and alert on suspicious modifications to registry keys under:

  • HKEY_CLASSES_ROOT\CLSID\{GUID}\InprocServer32

  • HKEY_CLASSES_ROOT\CLSID\{GUID}\LocalServer32

  • HKEY_CURRENT_USER\Software\Classes\CLSID\{GUID}\InprocServer32

  • HKEY_CURRENT_USER\Software\Classes\CLSID\{GUID}\LocalServer32

• Endpoint Detection and Response (EDR) Tools: Utilize EDR solutions capable of detecting anomalous COM object instantiations, unusual DLL loads, and suspicious registry modifications.

• Process Monitoring and Logging: Leverage tools like Sysmon or Microsoft Defender for Endpoint to monitor and log suspicious process creations, DLL loads, and COM object instantiations.

• Behavioral Analysis: Identify and investigate unusual process behaviors, such as unexpected DLL loads, suspicious parent-child process relationships, or anomalous COM object usage.

• File Integrity Monitoring (FIM): Implement FIM solutions to detect unauthorized changes to DLLs, executables, and registry settings associated with COM objects.

• Indicators of Compromise (IoCs):

  • Unexpected registry modifications pointing legitimate COM CLSIDs to unknown or suspicious DLLs/executables.

  • DLLs or executables appearing in unusual directories or paths referenced by COM registry entries.

  • Suspicious DLLs or executables loaded by legitimate system processes or services.

Why it is Important to Detect This Technique

Detecting COM hijacking is critical due to its significant potential impacts:

• Persistence and Long-term Compromise: Attackers can maintain persistent footholds within compromised systems, enabling continuous unauthorized access and exploitation.

• Privilege Escalation: Successful COM hijacking can allow attackers to execute malicious payloads with elevated privileges, potentially leading to full system compromise.

• Stealth and Evasion: COM hijacking leverages legitimate Windows mechanisms, making it challenging for traditional antivirus or endpoint protection tools to detect, thus increasing the risk of prolonged compromise.

• Data Exfiltration and Espionage: Attackers may leverage COM hijacking to execute payloads capable of stealing sensitive data, credentials, or intellectual property, resulting in significant operational and financial impacts.

• System Stability and Integrity Risks: Malicious payloads executed through COM hijacking can disrupt legitimate system processes, degrade system performance, or cause instability and crashes.

Early detection allows organizations to mitigate potential damage, prevent further lateral movement, and reduce the overall impact of cyber incidents.

Examples

Real-world examples involving COM hijacking include:

• Turla APT Group: Turla has utilized COM hijacking by modifying registry keys to load malicious DLLs when legitimate COM objects are instantiated, enabling persistent and stealthy execution of espionage tools.

• APT29 (Cozy Bear): APT29 leveraged COM hijacking techniques to establish persistence and execute payloads via legitimate Windows processes, allowing them to evade detection and maintain long-term access to compromised networks.

• Empire Framework: The Empire post-exploitation framework provides modules that automate COM hijacking techniques, allowing red teams and attackers to quickly establish persistence and execute payloads stealthily.

• FIN7 Cybercrime Group: FIN7 has been observed employing COM hijacking to maintain persistence and execute malicious payloads, facilitating the theft of sensitive financial and payment card data from targeted organizations.

• OilRig (APT34): OilRig utilized COM hijacking to execute payloads and maintain persistent access to compromised systems, enabling espionage and data exfiltration operations against targeted organizations in various sectors.

In these scenarios, attackers leveraged COM hijacking to:

• Execute malicious payloads stealthily via legitimate Windows processes.

• Maintain persistent footholds within compromised environments.

• Evade traditional antivirus and endpoint security detection mechanisms.

• Enable espionage, data theft, and financial fraud operations with minimal detection risk.

These examples underscore the importance of proactive monitoring, detection, and response strategies to mitigate COM hijacking threats.