T1559.001: Component Object Model
Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces. Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE). Remote COM execution is facilitated by Remote Services such as Distributed Component Object Model (DCOM).
Various COM interfaces are exposed that can be abused to invoke arbitrary execution via a variety of programming languages such as C, C++, Java, and Visual Basic. Specific COM objects also exist to directly perform functions beyond code execution, such as creating a Scheduled Task/Job, fileless download/execution, and other adversary behaviors related to privilege escalation and persistence.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
mitre_attck_privilege_escalation: PT-CR-1931: ICMLuaUtil_UAC_Bypass: An escalated process was run bypassing UAC via the ICMLuaUtil COM interface
Detection
ID | DS0011 | Data source and component | Module: Module Load | Description | Monitor for COM objects loading DLLs and other modules not typically associated with the application. |
---|
ID | DS0012 | Data source and component | Script: Script Execution | Description | Monitor for any attempts to enable scripts running on a system would be considered suspicious. Enumeration of COM objects, via Query Registry or PowerShell, may also proceed malicious use. |
---|
ID | DS0009 | Data source and component | Process: Process Creation | Description | Monitor for newly executed processes that are associated with COM objects, especially those invoked by a user different than the one currently logged on. |
---|
Mitigation
ID | M1026 | Name | Privileged Account Management | Description | Modify Registry settings (directly or using Dcomcnfg.exe) in Modify Registry settings (directly or using Dcomcnfg.exe) in |
---|
ID | M1048 | Name | Application Isolation and Sandboxing | Description | Ensure all COM alerts and Protected View are enabled. |
---|