Description
Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces.(Citation: Fireeye Hunting COM June 2019) Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE).(Citation: Microsoft COM) Remote COM execution is facilitated by Remote Services such as Distributed Component Object Model (DCOM).(Citation: Fireeye Hunting COM June 2019)
Various COM interfaces are exposed that can be abused to invoke arbitrary execution via a variety of programming languages such as C, C++, Java, and Visual Basic.(Citation: Microsoft COM) Specific COM objects also exist to directly perform functions beyond code execution, such as creating a Scheduled Task/Job, fileless download/execution, and other adversary behaviors related to privilege escalation and persistence.(Citation: Fireeye Hunting COM June 2019)(Citation: ProjectZero File Write EoP Apr 2018)
Platforms
Mitigations (2)
Privileged Account ManagementM1026
Modify Registry settings (directly or using Dcomcnfg.exe) in HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AppID_GUID} associated with the process-wide security of individual COM applications.(Citation: Microsoft Process Wide Com Keys)
Modify Registry settings (directly or using Dcomcnfg.exe) in HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole associated with system-wide security defaults for al
Application Isolation and SandboxingM1048
Ensure all COM alerts and Protected View are enabled.(Citation: Microsoft Protected View)
Threat Groups (4)
| ID | Group | Context |
|---|---|---|
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has leveraged Component Object Model (COM) to create scheduled tasks to include using naming conventi... |
| G0069 | MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has used malware that has the capability to execute malicious code via COM, DCOM, and Outlook.(Cit... |
| G0047 | Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) malware can insert malicious macros into documents using a <code>Microsoft.Office.Interop</co... |
| G1051 | Medusa Group | [Medusa Group](https://attack.mitre.org/groups/G1051) has leveraged Component Object Model (COM) to bypass UAC.(Citation: Intel471 Medusa Ransomware M... |
Associated Software (18)
| ID | Name | Type | Context |
|---|---|---|---|
| S0223 | POWERSTATS | Malware | [POWERSTATS](https://attack.mitre.org/software/S0223) can use DCOM (targeting the 127.0.0.1 loopback address) to execute additional payloads on compro... |
| S0266 | TrickBot | Malware | [TrickBot](https://attack.mitre.org/software/S0266) used COM to setup scheduled task for persistence.(Citation: ESET Trickbot Oct 2020) |
| S1236 | CLAIMLOADER | Malware | [CLAIMLOADER](https://attack.mitre.org/software/S1236) has leveraged Component Object Model (COM) objects to create a scheduled task using `ITaskServi... |
| S0260 | InvisiMole | Malware | [InvisiMole](https://attack.mitre.org/software/S0260) can use the <code>ITaskService</code>, <code>ITaskDefinition</code> and <code>ITaskSettings</cod... |
| S1044 | FunnyDream | Malware | [FunnyDream](https://attack.mitre.org/software/S1044) can use com objects identified with `CLSID_ShellLink`(`IShellLink` and `IPersistFile`) and `WScr... |
| S0386 | Ursnif | Malware | [Ursnif](https://attack.mitre.org/software/S0386) droppers have used COM objects to execute the malware's full executable payload.(Citation: Bromium U... |
| S1015 | Milan | Malware | [Milan](https://attack.mitre.org/software/S1015) can use a COM component to generate scheduled tasks.(Citation: ClearSky Siamesekitten August 2021) |
| S1160 | Latrodectus | Malware | [Latrodectus](https://attack.mitre.org/software/S1160) can use the Windows Component Object Model (COM) to set scheduled tasks.(Citation: Elastic Latr... |
| S1130 | Raspberry Robin | Malware | [Raspberry Robin](https://attack.mitre.org/software/S1130) creates an elevated COM object for <code>CMLuaUtil</code> and uses this to set a registry v... |
| S0698 | HermeticWizard | Malware | [HermeticWizard](https://attack.mitre.org/software/S0698) can execute files on remote machines using DCOM.(Citation: ESET Hermetic Wizard March 2022) |
| S9037 | RustyWater | Malware | [RustyWater](https://attack.mitre.org/software/S9037) has used a WScript.Shell COM object to execute the CertificationKit.ini file.(Citation: CloudSEK... |
| S1066 | DarkTortilla | Malware | [DarkTortilla](https://attack.mitre.org/software/S1066) has used the `WshShortcut` COM object to create a .lnk shortcut file in the Windows startup fo... |
| S0691 | Neoichor | Malware | [Neoichor](https://attack.mitre.org/software/S0691) can use the Internet Explorer (IE) COM interface to connect and receive commands from C2.(Citation... |
| S0692 | SILENTTRINITY | Tool | [SILENTTRINITY](https://attack.mitre.org/software/S0692) can insert malicious shellcode into Excel.exe using a `Microsoft.Office.Interop` object.(Cita... |
| S1238 | STATICPLUGIN | Malware | [STATICPLUGIN](https://attack.mitre.org/software/S1238) has utilized Windows COM Installer Object to download an MSI package containing files masquera... |
| S1039 | Bumblebee | Malware | [Bumblebee](https://attack.mitre.org/software/S1039) can use a COM object to execute queries to gather system information.(Citation: Proofpoint Bumble... |
| S0458 | Ramsay | Malware | [Ramsay](https://attack.mitre.org/software/S0458) can use the Windows COM API to schedule tasks and maintain persistence.(Citation: Eset Ramsay May 20... |
| S0666 | Gelsemium | Malware | [Gelsemium](https://attack.mitre.org/software/S0666) can use the `IARPUinstallerStringLauncher` COM interface are part of its UAC bypass process.(Cita... |
References
- Forshaw, J. (2018, April 18). Windows Exploitation Tricks: Exploiting Arbitrary File Writes for Local Elevation of Privilege. Retrieved May 3, 2018.
- Hamilton, C. (2019, June 4). Hunting COM Objects. Retrieved June 10, 2019.
- Microsoft. (n.d.). Component Object Model (COM). Retrieved November 22, 2017.
- Nelson, M. (2017, January 5). Lateral Movement using the MMC20 Application COM Object. Retrieved November 21, 2017.
- Nelson, M. (2017, November 16). Lateral Movement using Outlook's CreateObject Method and DotNetToJScript. Retrieved November 21, 2017.
Frequently Asked Questions
What is T1559.001 (Component Object Model)?
T1559.001 is a MITRE ATT&CK technique named 'Component Object Model'. It belongs to the Execution tactic(s). Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming interface (AP...
How can T1559.001 be detected?
Detection of T1559.001 (Component Object Model) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1559.001?
There are 2 documented mitigations for T1559.001. Key mitigations include: Privileged Account Management, Application Isolation and Sandboxing.
Which threat groups use T1559.001?
Known threat groups using T1559.001 include: Kimsuky, MuddyWater, Gamaredon Group, Medusa Group.