Last updated
Last updated
Name: Component Object Model
ID: T1559.001
Tactics:
Technique:
Component Object Model (COM) Hijacking, identified as sub-technique T1559.001 in the MITRE ATT&CK framework, involves adversaries manipulating COM objects in Windows environments to achieve persistence, privilege escalation, or defense evasion. COM objects are designed by Microsoft to facilitate inter-process communication and dynamic object creation, making them attractive targets for attackers seeking stealthy and persistent footholds in compromised systems.
COM is a binary-interface standard that allows software components to interact seamlessly across processes and applications. COM objects are identified by globally unique identifiers (GUIDs), stored within the Windows registry, and associated with executable code (DLLs or executables). COM Hijacking occurs when attackers exploit the COM object registration mechanism to redirect legitimate COM references to malicious payloads.
Technical details include:
Registry Manipulation: Attackers modify the registry keys associated with COM objects, particularly under HKEY_CLASSES_ROOT\CLSID\{GUID}\InprocServer32 or LocalServer32, redirecting them to malicious DLLs or executables.
DLL Proxying: Attackers can replace legitimate COM DLLs with malicious ones, while forwarding legitimate requests to the original DLL to avoid detection.
COM Object Creation Hijacking: Attackers intercept COM object instantiation requests, redirecting them to malicious code execution.
Elevation of Privilege: Attackers may leverage COM Hijacking against objects instantiated by privileged processes, resulting in elevated privileges.
Persistence and Stealth: COM Hijacking allows attackers to persistently execute malicious code each time the compromised COM object is invoked, often bypassing traditional startup locations monitored by defenders.
Real-world procedures typically involve:
Identifying vulnerable COM objects through enumeration tools like PowerSploit, ProcMon, or custom scripts.
Crafting malicious DLLs or executables to mimic legitimate COM objects.
Modifying the registry to redirect COM object instantiation to attacker-controlled payloads.
Employing obfuscation techniques and proxy DLLs to evade detection by endpoint security solutions.
COM Hijacking is typically leveraged during multiple attack stages, including:
Persistence: Establishing long-term footholds on compromised systems by ensuring malicious code executes whenever the targeted COM object is instantiated.
Privilege Escalation: Targeting COM objects instantiated by higher privilege processes, enabling attackers to escalate privileges from standard user accounts to administrator or SYSTEM-level privileges.
Defense Evasion: Bypassing endpoint detection and response (EDR) tools by executing malicious payloads through legitimate COM object invocations, making detection more challenging.
Execution: Triggering malicious code execution indirectly through legitimate applications or processes invoking compromised COM objects, reducing suspicion and detection risk.
Attack scenarios include:
Advanced Persistent Threat (APT) groups maintaining stealthy persistence on targeted systems.
Malware campaigns employing COM Hijacking to evade signature-based detection.
Insider threats manipulating COM objects to maintain covert access to corporate systems.
Detection methods for COM Hijacking typically involve monitoring and analyzing registry changes, DLL loads, and COM object instantiations. Effective detection strategies include:
Registry Monitoring:
Continuously monitoring registry keys under HKEY_CLASSES_ROOT\CLSID for unauthorized or suspicious modifications.
Utilizing tools like Sysmon, Microsoft Defender for Endpoint, or Endpoint Detection and Response (EDR) solutions to track registry modification events.
DLL Load and Process Monitoring:
Monitoring DLL loading events, especially within legitimate processes invoking COM objects, to detect anomalous or unsigned DLLs.
Analyzing DLL digital signatures and file hashes to identify unauthorized or malicious libraries.
Behavioral Analysis and Anomaly Detection:
Leveraging endpoint protection platforms (EPP) and EDR solutions to detect anomalous behavior patterns, such as unusual COM object instantiations or unexpected DLL loads.
Employing threat hunting methodologies to proactively search for suspicious COM object usage.
Indicators of Compromise (IoCs):
Registry keys modified under HKEY_CLASSES_ROOT\CLSID\{GUID}\InprocServer32 or LocalServer32 pointing to suspicious or unauthorized DLLs/executables.
Presence of unsigned, recently created, or modified DLLs within system directories or unusual file locations.
Suspicious DLL file hashes or filenames identified by threat intelligence feeds or antivirus signatures.
Tools commonly used for detection include:
Sysinternals Suite (Process Monitor, Autoruns, Sysmon)
Microsoft Defender for Endpoint
CrowdStrike Falcon, SentinelOne, Carbon Black EDR
Threat hunting and SIEM solutions (Splunk, Elastic Security)
Detecting COM Hijacking is crucial due to the significant risks and impacts it poses to organizations, including:
Persistent Compromise: Attackers can maintain persistent access to compromised systems, making remediation efforts more challenging and prolonged.
Privilege Escalation: Successful COM Hijacking can enable attackers to escalate privileges, leading to full administrative or SYSTEM-level access, significantly increasing potential damage.
Defense Evasion: COM Hijacking often bypasses traditional detection mechanisms, allowing attackers to evade antivirus, endpoint protection, and monitoring tools.
Data Exfiltration and Espionage: Attackers leveraging COM Hijacking can covertly execute malicious payloads, enabling data theft, espionage, or sabotage operations.
System Integrity and Stability Risks: Malicious COM object manipulation can lead to system instability, crashes, or operational disruption, impacting business continuity and productivity.
Early detection is essential to:
Minimize attacker dwell time and reduce potential damage.
Prevent privilege escalation and broader network compromise.
Facilitate rapid incident response and effective remediation.
Maintain regulatory compliance and protect sensitive data.
Real-world examples and attack scenarios involving COM Hijacking include:
APT28 (Fancy Bear):
Leveraged COM Hijacking for stealthy persistence and privilege escalation in targeted espionage campaigns.
Modified COM object registry entries to execute custom payloads, maintaining covert access on compromised systems.
APT29 (Cozy Bear):
Utilized COM Hijacking techniques to maintain persistent access and evade detection in high-profile breaches.
Employed malicious DLLs loaded via compromised COM objects, enabling stealthy execution of espionage-oriented payloads.
Turla Group:
Known to use COM Hijacking techniques extensively for persistence and defense evasion.
Leveraged legitimate COM objects redirected to malicious DLLs, executing espionage payloads without triggering traditional detection mechanisms.
Dridex Malware:
Banking trojan known to exploit COM Hijacking for persistence and defense evasion.
Modified registry entries for COM objects to load malicious DLLs, enabling persistent access and credential theft from infected systems.
PowerSploit Framework:
Offensive security toolkit frequently used by attackers and penetration testers to enumerate vulnerable COM objects and automate COM Hijacking attacks.
Provides scripts and modules specifically designed for identifying and exploiting COM Hijacking vulnerabilities.
These examples demonstrate the widespread adoption of COM Hijacking techniques across diverse threat actors and malware families, highlighting the importance of robust detection and mitigation strategies.
Component Object Model [T1559.001]