EXPLORE
Sign In
← Back to Explore
T1546.015

Component Object Model Hijacking

Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. COM is a system within Windows to enable interaction between software components through the operating system.(Citation: Microsoft Component Object Model) References to various COM objects are stored in the Registry. Adversaries may use the COM system to insert malicious code that can be executed in place of legitimate software through hijacking the CO...

Windows
13
Detections
3
Sources
1
Threat Actors

BY SOURCE

8sigma3splunk_escu2elastic

PROCEDURES (7)

Registry Monitoring4 detections

Auto-extracted: 4 detections for registry monitoring

Registry4 detections

Auto-extracted: 4 detections for registry

Persist1 detections

Auto-extracted: 1 detections for persist

Script Block1 detections

Auto-extracted: 1 detections for script block

Script Block1 detections

Auto-extracted: 1 detections for script block

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

THREAT ACTORS (1)

APT28

DETECTIONS (13)

COM Hijacking via TreatAs
sigmamedium
COM Object Hijacking Via Modification Of Default System CLSID Default Value
sigmahigh
Component Object Model Hijacking
elasticlow
Potential COM Object Hijacking Via TreatAs Subkey - Registry
sigmamedium
Potential Persistence Using DebugPath
sigmamedium
Potential Persistence Via Scrobj.dll COM Hijacking
sigmamedium
Potential PSFactoryBuffer COM Hijacking
sigmahigh
Potential RemoteMonologue Attack
elasticmedium
Powershell COM Hijacking InprocServer32 Modification
splunk_escu
Powershell Execute COM Object
splunk_escu
Rundll32 Registered COM Objects
sigmahigh
Suspicious GetTypeFromCLSID ShellExecute
sigmamedium
Windows COM Hijacking InprocServer32 Modification
splunk_escu