EXPLORE
Sign In
← Back to Explore
T1559.001

Component Object Model

Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces.(Citation: Fireeye Hunting COM June 2019) Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE).(Cit...

Windows
16
Detections
3
Sources
3
Threat Actors

BY SOURCE

12elastic3sigma1splunk_escu

PROCEDURES (11)

Lateral3 detections

Auto-extracted: 3 detections for lateral

Bypass3 detections

Auto-extracted: 3 detections for bypass

Registry2 detections

Auto-extracted: 2 detections for registry

Process Access Monitoring1 detections

Auto-extracted: 1 detections for process access monitoring

Office1 detections

Auto-extracted: 1 detections for office

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Persist1 detections

Auto-extracted: 1 detections for persist

Unusual1 detections

Auto-extracted: 1 detections for unusual

Unusual1 detections

Auto-extracted: 1 detections for unusual

General Monitoring1 detections

Auto-extracted: 1 detections for general monitoring

Network Connection Monitoring1 detections

Auto-extracted: 1 detections for network connection monitoring

THREAT ACTORS (3)

Gamaredon GroupMedusa GroupMuddyWater

DETECTIONS (16)

CMSTP Execution Process Access
sigmahigh
DNS Query Request By Regsvr32.EXE
sigmamedium
Execution of COM object via Xwizard
elasticmedium
Incoming DCOM Lateral Movement via MSHTA
elastichigh
Incoming DCOM Lateral Movement with MMC
elastichigh
Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows
elasticmedium
Network Connection Initiated By Regsvr32.EXE
sigmamedium
Potential Command and Control via Internet Explorer
elasticmedium
Process Writing DynamicWrapperX
splunk_escu
Remote XSL Script Execution via COM
elasticlow
Suspicious Explorer Child Process
elasticmedium
Suspicious Image Load (taskschd.dll) from MS Office
elasticlow
Suspicious Inter-Process Communication via Outlook
elasticmedium
UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer
elasticmedium
UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface
elastichigh
UAC Bypass via ICMLuaUtil Elevated COM Interface
elastichigh