T1559.001 Component Object Model
Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces.1 Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE).2 Remote COM execution is facilitated by Remote Services such as Distributed Component Object Model (DCOM).1
Various COM interfaces are exposed that can be abused to invoke arbitrary execution via a variety of programming languages such as C, C++, Java, and Visual Basic.2 Specific COM objects also exist to directly perform functions beyond code execution, such as creating a Scheduled Task/Job, fileless download/execution, and other adversary behaviors related to privilege escalation and persistence.13
Item | Value |
---|---|
ID | T1559.001 |
Sub-techniques | T1559.001, T1559.002, T1559.003 |
Tactics | TA0002 |
Platforms | Windows |
Version | 1.1 |
Created | 12 February 2020 |
Last Modified | 26 July 2021 |
Procedure Examples
ID | Name | Description |
---|---|---|
S1039 | Bumblebee | Bumblebee can use a COM object to execute queries to gather system information.16 |
S1066 | DarkTortilla | DarkTortilla has used the WshShortcut COM object to create a .lnk shortcut file in the Windows startup folder.21 |
S1044 | FunnyDream | FunnyDream can use com objects identified with CLSID_ShellLink (IShellLink and IPersistFile ) and WScript.Shell (RegWrite method) to enable persistence mechanisms.15 |
G0047 | Gamaredon Group | Gamaredon Group malware can insert malicious macros into documents using a Microsoft.Office.Interop object.22 |
S0666 | Gelsemium | Gelsemium can use the IARPUinstallerStringLauncher COM interface are part of its UAC bypass process.20 |
S0698 | HermeticWizard | HermeticWizard can execute files on remote machines using DCOM.12 |
S0260 | InvisiMole | InvisiMole can use the ITaskService , ITaskDefinition and ITaskSettings COM interfaces to schedule a task.17 |
S1015 | Milan | Milan can use a COM component to generate scheduled tasks.10 |
G0069 | MuddyWater | MuddyWater has used malware that has the capability to execute malicious code via COM, DCOM, and Outlook.252324 |
S0691 | Neoichor | Neoichor can use the Internet Explorer (IE) COM interface to connect and receive commands from C2.18 |
S0223 | POWERSTATS | POWERSTATS can use DCOM (targeting the 127.0.0.1 loopback address) to execute additional payloads on compromised hosts.13 |
S0458 | Ramsay | Ramsay can use the Windows COM API to schedule tasks and maintain persistence.11 |
S0266 | TrickBot | TrickBot used COM to setup scheduled task for persistence.19 |
S0386 | Ursnif | Ursnif droppers have used COM objects to execute the malware’s full executable payload.14 |
Mitigations
ID | Mitigation | Description |
---|---|---|
M1048 | Application Isolation and Sandboxing | Ensure all COM alerts and Protected View are enabled.6 |
M1026 | Privileged Account Management | Modify Registry settings (directly or using Dcomcnfg.exe) in HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AppID_GUID} associated with the process-wide security of individual COM applications.7 |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0011 | Module | Module Load |
DS0009 | Process | Process Creation |
DS0012 | Script | Script Execution |
References
-
Hamilton, C. (2019, June 4). Hunting COM Objects. Retrieved June 10, 2019. ↩↩↩
-
Microsoft. (n.d.). Component Object Model (COM). Retrieved November 22, 2017. ↩↩
-
Forshaw, J. (2018, April 18). Windows Exploitation Tricks: Exploiting Arbitrary File Writes for Local Elevation of Privilege. Retrieved May 3, 2018. ↩
-
Nelson, M. (2017, November 16). Lateral Movement using Outlook’s CreateObject Method and DotNetToJScript. Retrieved November 21, 2017. ↩
-
Nelson, M. (2017, January 5). Lateral Movement using the MMC20 Application COM Object. Retrieved November 21, 2017. ↩
-
Microsoft. (n.d.). What is Protected View?. Retrieved November 22, 2017. ↩
-
Microsoft. (n.d.). Setting Process-Wide Security Through the Registry. Retrieved November 21, 2017. ↩
-
Microsoft. (n.d.). Registry Values for System-Wide Security. Retrieved November 21, 2017. ↩
-
Microsoft. (n.d.). DCOM Security Enhancements in Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1. Retrieved November 22, 2017. ↩
-
ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022. ↩
-
Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020. ↩
-
ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022. ↩
-
Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018. ↩
-
Holland, A. (2019, March 7). Tricks and COMfoolery: How Ursnif Evades Detection. Retrieved June 10, 2019. ↩
-
Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022. ↩
-
Merriman, K. and Trouerbach, P. (2022, April 28). This isn’t Optimus Prime’s Bumblebee but it’s Still Transforming. Retrieved August 22, 2022. ↩
-
Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020. ↩
-
MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022. ↩
-
Boutin, J. (2020, October 12). ESET takes part in global operation to disrupt Trickbot. Retrieved March 15, 2021. ↩
-
Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021. ↩
-
Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022. ↩
-
Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020. ↩
-
ClearSky. (2019, June). Iranian APT group ‘MuddyWater’ Adds Exploits to Their Arsenal. Retrieved May 14, 2020. ↩
-
FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022. ↩
-
Kaspersky Lab’s Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018. ↩