MaxPatrol SIEM

Detects cyberincidents that undermine cyber resilience of a company

T1559.001: Component Object Model

Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces. Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE). Remote COM execution is facilitated by Remote Services such as Distributed Component Object Model (DCOM).

Various COM interfaces are exposed that can be abused to invoke arbitrary execution via a variety of programming languages such as C, C++, Java, and Visual Basic. Specific COM objects also exist to directly perform functions beyond code execution, such as creating a Scheduled Task/Job, fileless download/execution, and other adversary behaviors related to privilege escalation and persistence.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_privilege_escalation: PT-CR-1931: ICMLuaUtil_UAC_Bypass: An escalated process was run bypassing UAC via the ICMLuaUtil COM interface

Detection

IDDS0011Data source and componentModule: Module LoadDescription

Monitor for COM objects loading DLLs and other modules not typically associated with the application.

IDDS0012Data source and componentScript: Script ExecutionDescription

Monitor for any attempts to enable scripts running on a system would be considered suspicious. Enumeration of COM objects, via Query Registry or PowerShell, may also proceed malicious use.

IDDS0009Data source and componentProcess: Process CreationDescription

Monitor for newly executed processes that are associated with COM objects, especially those invoked by a user different than the one currently logged on.

Mitigation

IDM1026NamePrivileged Account ManagementDescription

Modify Registry settings (directly or using Dcomcnfg.exe) in HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AppID_GUID} associated with the process-wide security of individual COM applications.

Modify Registry settings (directly or using Dcomcnfg.exe) in HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole associated with system-wide security defaults for all COM applications that do no set their own process-wide security.

IDM1048NameApplication Isolation and SandboxingDescription

Ensure all COM alerts and Protected View are enabled.