- Home
- Techniques
- Enterprise
- Inter-Process Communication
- Component Object Model
Inter-Process Communication: Component Object Model
Other sub-techniques of Inter-Process Communication (2)
ID | Name |
---|---|
T1559.001 | Component Object Model |
T1559.002 | Dynamic Data Exchange |
Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces.[1] Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE).[2]
Various COM interfaces are exposed that can be abused to invoke arbitrary execution via a variety of programming languages such as C, C++, Java, and Visual Basic.[2] Specific COM objects also exist to directly perform functions beyond code execution, such as creating a Scheduled Task/Job, fileless download/execution, and other adversary behaviors related to privilege escalation and persistence.[1][3]
Procedure Examples
Name | Description |
---|---|
Gamaredon Group |
Gamaredon Group malware can insert malicious macros into documents using a |
InvisiMole |
InvisiMole can use the |
MuddyWater |
MuddyWater has used malware that has the capability to execute malicious code via COM, DCOM, and Outlook.[6][7] |
POWERSTATS |
POWERSTATS can use DCOM (targeting the 127.0.0.1 loopback address) to execute additional payloads on compromised hosts.[8] |
Ursnif |
Ursnif droppers have used COM objects to execute the malware's full executable payload.[9] |
Mitigations
Mitigation | Description |
---|---|
Application Isolation and Sandboxing |
Ensure all COM alerts and Protected View are enabled.[10] |
Privileged Account Management |
Modify Registry settings (directly or using Dcomcnfg.exe) in Modify Registry settings (directly or using Dcomcnfg.exe) in |
Detection
Monitor for COM objects loading DLLs and other modules not typically associated with the application.[14] Enumeration of COM objects, via Query Registry or PowerShell, may also proceed malicious use.[1][15]
Monitor for spawning of processes associated with COM objects, especially those invoked by a user different than the one currently logged on.
References
- Hamilton, C. (2019, June 4). Hunting COM Objects. Retrieved June 10, 2019.
- Microsoft. (n.d.). Component Object Model (COM). Retrieved November 22, 2017.
- Forshaw, J. (2018, April 18). Windows Exploitation Tricks: Exploiting Arbitrary File Writes for Local Elevation of Privilege. Retrieved May 3, 2018.
- Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
- Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
- Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.
- ClearSky. (2019, June). Iranian APT group ‘MuddyWater’ Adds Exploits to Their Arsenal. Retrieved May 14, 2020.
- Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
- Holland, A. (2019, March 7). Tricks and COMfoolery: How Ursnif Evades Detection. Retrieved June 10, 2019.
- Microsoft. (n.d.). What is Protected View?. Retrieved November 22, 2017.
- Microsoft. (n.d.). Setting Process-Wide Security Through the Registry. Retrieved November 21, 2017.
- Microsoft. (n.d.). Registry Values for System-Wide Security. Retrieved November 21, 2017.
- Microsoft. (n.d.). DCOM Security Enhancements in Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1. Retrieved November 22, 2017.
- Nelson, M. (2017, November 16). Lateral Movement using Outlook's CreateObject Method and DotNetToJScript. Retrieved November 21, 2017.
- Nelson, M. (2017, January 5). Lateral Movement using the MMC20 Application COM Object. Retrieved November 21, 2017.