DET0224 Detect Abuse of Component Object Model (T1559.001)

Item	Value
ID	DET0224
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1559.001 (Component Object Model)

Analytics

Windows

AN0628

Detects anomalous use of COM objects for execution, such as Office applications spawning scripting engines, enumeration of COM interfaces via registry queries, or processes loading atypical DLLs through COM activation. Correlates process creation, module loads, and registry queries to flag suspicious COM-based code execution or persistence.

Log Sources

Data Component	Name	Channel
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1
Module Load (DC0016)	WinEventLog:Sysmon	EventCode=7
Windows Registry Key Access (DC0050)	WinEventLog:Security	EventCode=4663, 4670, 4656

Mutable Elements

Field	Description
COMObjectAllowList	Legitimate COM CLSIDs and ProgIDs used by enterprise applications, to reduce false positives.
ParentProcessExclusions	Expected parent-child process relationships (e.g., explorer.exe spawning dllhost.exe).
TimeWindow	Threshold for correlating COM object execution with subsequent process creation or DLL load.