Full Report
Component Object Model (COM) is a fundamental Windows technology used by legitimate applications for object activation, inter-process communication, automation and language-independent component reuse. Those same qualities make it useful to threat actors.
Analysis Summary
# Tool/Technique: Component Object Model (COM) in Malware
## Overview
The Component Object Model (COM) is a language-independent binary software interface (ABI) on Windows used for inter-process communication (IPC) and object activation. In a threat context, attackers leverage COM and its network-extension DCOM (Distributed COM) to perform stealthy execution, move laterally, establish persistence, and bypass security controls by utilizing trusted system interfaces.
## Technical Details
- **Type:** Technique (Windows OS Feature)
- **Platform:** Windows
- **Capabilities:** Execution, Lateral Movement, Persistence, Evasion, System Discovery, Automation.
- **First Seen:** Early Windows versions; featured in professional research at AVAR 2025 and CARO 2026.
## MITRE ATT&CK Mapping
- **[TA0008 - Lateral Movement]**
- [T1021.003 - Remote Services: Distributed Component Object Model]
- **[TA0003 - Persistence]**
- [T1546.015 - Event Triggered Execution: Component Object Model Hijacking]
- **[TA0002 - Execution]**
- [T1059 - Command and Scripting Interpreter] (via COM Automation)
- [T1047 - Windows Management Instrumentation] (WMI is COM-based)
- **[TA0005 - Defense Evasion]**
- [T1564.010 - Hide Artifacts: Process Argument Spoofing] (via COM activation)
## Functionality
### Core Capabilities
- **Object Activation:** Using `CoCreateInstance` or `CoCreateInstanceEx` to instantiate objects by their Class Identifier (CLSID).
- **Automation:** Leveraging `IDispatch` and `ProgIDs` (e.g., `WScript.Shell`, `Shell.Application`) to execute commands or interact with the filesystem.
- **Service Interaction:** Malicious use of built-in interfaces like `ITaskService` (Task Scheduler) or `IBackgroundCopyJob` (BITS) for stealthy job scheduling.
### Advanced Features
- **Dynamic GUID Assembly:** Malware often constructs 128-bit GUIDs on the stack at runtime rather than storing them as static strings to hinder static analysis.
- **COM Hijacking:** Redefining registry keys (typically in `HKCU\Software\Classes\CLSID`) to point a legitimate COM object to a malicious DLL.
- **DCOM Lateral Movement:** Using `CoCreateInstanceEx` to activate components on remote systems, effectively bypassing some traditional network monitoring.
## Indicators of Compromise
- **File Hashes:** N/A (Technique-based; varies by malware family).
- **Registry Keys:**
- `HKEY_CURRENT_USER\Software\Classes\CLSID\{GUID}\InprocServer32` (Common for hijacking)
- `HKEY_CLASSES_ROOT\CLSID\{GUID}`
- **Network Indicators:**
- RPC/DCOM traffic over Port 135.
- High-numbered dynamic ports used for COM method invocation.
- **Behavioral Indicators:**
- `dllhost.exe` (Surrogate process) launching unexpected child processes or making network connections.
- Scripting engines (powershell.exe, wscript.exe) instantiating sensitive COM objects like `Shell.Application`.
## Associated Threat Actors
- Widely used across the spectrum from commodity malware to Advanced Persistent Threats (APTs).
- Specifically identified in research as a core component of modern Windows-based campaigns for "living-off-the-land" (LotL).
## Detection Methods
- **Signature-based:** Scanning for little-endian byte patterns of known sensitive GUIDs in binaries.
- **Behavioral detection:** Monitoring for `CoCreateInstance` calls to sensitive interfaces (e.g., those related to Task Scheduler or BITS).
- **Tooling:**
- **OleView.NET:** For inspecting COM classes and interfaces.
- **DispatchLogger:** (Talos tool) For transparent COM instrumentation.
- **COMIDA:** For hunting COM hijacking vulnerabilities.
## Mitigation Strategies
- **Prevention:** Use Windows Defender Application Control (WDAC) to restrict the loading of unsigned DLLs via COM.
- **Hardening:**
- Restrict DCOM permissions using `Dcomcnfg.exe` to prevent remote activation.
- Audit registry writes to `HKCU\Software\Classes\CLSID` to detect hijacking attempts.
- **Governance:** Disable unused COM-hosting services and limit the use of administrative scripting.
## Related Tools/Techniques
- **WMI (Windows Management Instrumentation):** Built on top of COM for system management.
- **BITS (Background Intelligent Transfer Service):** Frequently abused through COM interfaces for file downloads.
- **Explorer Shell Objects:** Abused for file execution and bypass of UAC.