T1559.001

Component Object Model

Adversaries abuse the Windows Component Object Model (COM) to execute arbitrary code locally. COM is a binary interface standard enabling inter-process communication between software objects through defined interfaces. Threat actors leverage COM by instantiating known objects (WScript.Shell, Shell.Application, MMC20.Application, Schedule.Service) via scripting hosts, hijacking COM object registrations in HKCU to redirect execution to malicious DLLs, or using elevated COM interfaces (CMLuaUtil) to bypass User Account Control. Real-world use includes TrickBot and Latrodectus creating scheduled tasks via ITaskService, MuddyWater executing payloads via DCOM loopback, Gamaredon injecting macros via Microsoft.Office.Interop objects, and Raspberry Robin abusing CMLuaUtil for UAC bypass. Unlike DCOM (T1021.003), this technique focuses on local COM execution rather than remote lateral movement.

Microsoft Sentinel / Defender

kusto

let SuspiciousCOMObjects = dynamic([
  "MMC20.Application", "ShellWindows", "ShellBrowserWindow",
  "WScript.Shell", "Shell.Application", "Schedule.Service",
  "CMLuaUtil", "InternetExplorer.Application",
  "Microsoft.Office.Interop",
  "49B2791A-B1AE-4C90-9B8E-E860BA07F889",
  "9BA05972-F6A8-11CF-A442-00A0C91F3880",
  "C08AFD90-F2A1-11D1-8455-00A0C91F3880",
  "6EDD6D74-C007-4E75-B76A-E5740995E24C",
  "0F87369F-A4E5-4CFC-BD3E-73E6154572DD"
]);
// Branch 1: Script host COM object instantiation
let ScriptCOMAbuse = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| where ProcessCommandLine has_any (SuspiciousCOMObjects)
      or ProcessCommandLine has "-ComObject"
      or ProcessCommandLine has "CreateObject("
      or ProcessCommandLine has "GetTypeFromCLSID"
      or (ProcessCommandLine has "activator" and ProcessCommandLine has "CreateInstance")
| extend DetectionSource = "ScriptCOMAbuse"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionSource;
// Branch 2: COM surrogate (dllhost.exe) spawning unexpected child processes
let DllHostChildren = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "dllhost.exe"
| where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe",
                      "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe",
                      "net.exe", "net1.exe", "whoami.exe", "ipconfig.exe",
                      "curl.exe", "wget.exe", "bitsadmin.exe")
| extend DetectionSource = "DllHostSurrogate"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionSource;
// Branch 3: COM hijacking via HKCU CLSID registry modification
let COMHijacking = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey contains @"HKEY_CURRENT_USER\Software\Classes\CLSID"
| where RegistryValueName in~ ("InProcServer32", "LocalServer32", "InProcServer")
| where RegistryValueData !has @"C:\Windows\System32"
      and RegistryValueData !has @"C:\Program Files"
      and RegistryValueData !has @"C:\Program Files (x86)"
| extend DetectionSource = "COMHijacking"
| project Timestamp, DeviceName,
          AccountName = InitiatingProcessAccountName,
          FileName = InitiatingProcessFileName,
          ProcessCommandLine = strcat("Registry: ", RegistryKey, " -> ", RegistryValueData),
          InitiatingProcessFileName,
          InitiatingProcessCommandLine,
          DetectionSource;
// Union all detection branches
ScriptCOMAbuse
| union DllHostChildren
| union COMHijacking
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Windows Registry: Windows Registry Key Modification Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceRegistryEvents

False Positives

IT administration scripts using New-Object -ComObject Shell.Application or WScript.Shell for legitimate file operations and system management
Software installers and MSI packages that use COM objects during installation (WScript.Shell to write registry keys, Shell.Application to extract files)
Legitimate user-space COM registration by applications such as Python pywin32, LibreOffice, or other third-party software that registers DLLs under HKCU\Software\Classes\CLSID
Monitoring agents and RMM tools (SolarWinds, ConnectWise, Datto) that use COM interfaces for system inventory or remote management
Development environments (Visual Studio, Python, Node.js) that routinely invoke COM interfaces for IDE features or build automation

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
  (EventCode=1 OR EventCode=12 OR EventCode=13)
| eval is_script_host=if(EventCode=1 AND match(Image, "(?i)\\\\(powershell|pwsh|wscript|cscript|mshta)\\.exe$"), 1, 0)
| eval is_com_pattern=if(
    is_script_host=1 AND match(CommandLine,
      "(?i)(-ComObject|CreateObject\\(|GetTypeFromCLSID|activator.*CreateInstance|MMC20\\.Application|ShellWindows|ShellBrowserWindow|Schedule\\.Service|WScript\\.Shell|Shell\\.Application|CMLuaUtil|49B2791A|9BA05972|C08AFD90|6EDD6D74|0F87369F|Microsoft\\.Office\\.Interop)"),
    1, 0)
| eval is_dllhost_child=if(
    EventCode=1
    AND match(ParentImage, "(?i)\\\\dllhost\\.exe$")
    AND match(Image, "(?i)\\\\(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|certutil|net|net1|whoami|curl|wget|bitsadmin)\\.exe$"),
    1, 0)
| eval is_com_hijack=if(
    (EventCode=12 OR EventCode=13)
    AND match(TargetObject, "(?i)HKCU\\\\Software\\\\Classes\\\\CLSID")
    AND match(TargetObject, "(?i)(InProcServer32|LocalServer32|InProcServer)")
    AND NOT match(Details, "(?i)(C:\\\\Windows\\\\System32|C:\\\\Program Files)"),
    1, 0)
| where is_com_pattern=1 OR is_dllhost_child=1 OR is_com_hijack=1
| eval DetectionSource=case(
    is_com_hijack=1, "COMHijacking",
    is_dllhost_child=1, "DllHostSurrogate",
    is_com_pattern=1, "ScriptCOMAbuse",
    true(), "Unknown")
| eval ProcessPath=coalesce(Image, "N/A")
| eval CmdLine=coalesce(CommandLine, Details, "N/A")
| eval ParentProc=coalesce(ParentImage, "N/A")
| eval RegistryKey=coalesce(TargetObject, "N/A")
| table _time, host, User, ProcessPath, CmdLine, ParentProc, ParentCommandLine, RegistryKey, DetectionSource
| sort - _time

high severity medium confidence

Data Sources

Process: Process Creation Windows Registry: Windows Registry Key Modification Sysmon Event ID 1 Sysmon Event ID 12 Sysmon Event ID 13

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

IT administration scripts using New-Object -ComObject Shell.Application or WScript.Shell for legitimate file operations and system management
Software installers and MSI packages that use COM objects during installation
Legitimate user-space COM registration by applications such as Python pywin32, LibreOffice, or third-party software registering DLLs under HKCU\Software\Classes\CLSID
Monitoring agents and RMM tools that use COM interfaces for system inventory or remote management
Development environments that routinely invoke COM interfaces for IDE features or build automation

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
[
  any where event.category == "process" and
  process.name in~ ("powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe") and
  (
    process.args : ("-ComObject", "*CreateObject(*", "*GetTypeFromCLSID*", "*CreateInstance*") or
    process.command_line : ("*MMC20.Application*", "*ShellWindows*", "*ShellBrowserWindow*", "*WScript.Shell*", "*Shell.Application*", "*Schedule.Service*", "*CMLuaUtil*", "*InternetExplorer.Application*", "*Microsoft.Office.Interop*", "*49B2791A*", "*9BA05972*", "*C08AFD90*", "*6EDD6D74*", "*0F87369F*")
  )
] by process.entity_id

pipe

sequence by host.name with maxspan=30s
[
  process where event.type == "start" and
  process.parent.name : "dllhost.exe" and
  process.name in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "net.exe", "net1.exe", "whoami.exe", "ipconfig.exe", "curl.exe", "wget.exe", "bitsadmin.exe")
] by process.entity_id

/* Alternate: COM Hijacking via registry */
/* registry where registry.path : "*\\SOFTWARE\\Classes\\CLSID\\*" and
   registry.value in~ ("InProcServer32", "LocalServer32", "InProcServer") and
   not registry.data.strings : ("C:\\Windows\\System32\\*", "C:\\Program Files\\*", "C:\\Program Files (x86)\\*") */

high severity high confidence

Data Sources

Elastic Endpoint Elastic Agent Windows Event Logs via Winlogbeat Sysmon via Winlogbeat

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.registry-* logs-windows.*

False Positives

Legitimate administrative scripts that use COM objects such as WScript.Shell or Shell.Application for automation tasks like software deployment or configuration management
dllhost.exe legitimately spawns child processes during thumbnail generation, Windows Search indexing, or when hosting out-of-process COM servers for applications like Office or Windows Explorer
Enterprise software packaging tools (SCCM, PDQ Deploy, Ansible) may invoke COM interfaces for system configuration and will trigger the script-host COM pattern

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  devicehostname AS host,
  username,
  "ProcessImage" AS process_image,
  "CommandLine" AS command_line,
  "ParentProcessImage" AS parent_image,
  "RegistryKey" AS registry_key,
  CASE
    WHEN "RegistryKey" LIKE '%HKCU\Software\Classes\CLSID%' THEN 'COMHijacking'
    WHEN "ParentProcessImage" LIKE '%\dllhost.exe' THEN 'DllHostSurrogate'
    ELSE 'ScriptCOMAbuse'
  END AS detection_source,
  logsourcename(logsourceid) AS log_source
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') > DATEADD('hour', -24, NOW())
  AND (
    -- Branch 1: Script host COM instantiation (Sysmon EID 1)
    (
      qidname(qid) = 'Process Create'
      AND (
        LOWER("ProcessImage") LIKE '%\powershell.exe'
        OR LOWER("ProcessImage") LIKE '%\pwsh.exe'
        OR LOWER("ProcessImage") LIKE '%\wscript.exe'
        OR LOWER("ProcessImage") LIKE '%\cscript.exe'
        OR LOWER("ProcessImage") LIKE '%\mshta.exe'
      )
      AND (
        LOWER("CommandLine") LIKE '%-comobject%'
        OR LOWER("CommandLine") LIKE '%createobject(%'
        OR LOWER("CommandLine") LIKE '%gettypefromclsid%'
        OR LOWER("CommandLine") LIKE '%createinstance%'
        OR LOWER("CommandLine") LIKE '%mmc20.application%'
        OR LOWER("CommandLine") LIKE '%shellwindows%'
        OR LOWER("CommandLine") LIKE '%schedule.service%'
        OR LOWER("CommandLine") LIKE '%wscript.shell%'
        OR LOWER("CommandLine") LIKE '%shell.application%'
        OR LOWER("CommandLine") LIKE '%cmluautil%'
        OR LOWER("CommandLine") LIKE '%49b2791a%'
        OR LOWER("CommandLine") LIKE '%9ba05972%'
        OR LOWER("CommandLine") LIKE '%c08afd90%'
        OR LOWER("CommandLine") LIKE '%6edd6d74%'
        OR LOWER("CommandLine") LIKE '%microsoft.office.interop%'
      )
    )
    OR
    -- Branch 2: dllhost.exe spawning suspicious children (Sysmon EID 1)
    (
      qidname(qid) = 'Process Create'
      AND LOWER("ParentProcessImage") LIKE '%\dllhost.exe'
      AND (
        LOWER("ProcessImage") LIKE '%\cmd.exe'
        OR LOWER("ProcessImage") LIKE '%\powershell.exe'
        OR LOWER("ProcessImage") LIKE '%\pwsh.exe'
        OR LOWER("ProcessImage") LIKE '%\wscript.exe'
        OR LOWER("ProcessImage") LIKE '%\cscript.exe'
        OR LOWER("ProcessImage") LIKE '%\mshta.exe'
        OR LOWER("ProcessImage") LIKE '%\rundll32.exe'
        OR LOWER("ProcessImage") LIKE '%\regsvr32.exe'
        OR LOWER("ProcessImage") LIKE '%\certutil.exe'
        OR LOWER("ProcessImage") LIKE '%\whoami.exe'
        OR LOWER("ProcessImage") LIKE '%\curl.exe'
        OR LOWER("ProcessImage") LIKE '%\bitsadmin.exe'
      )
    )
    OR
    -- Branch 3: COM hijacking via HKCU CLSID (Sysmon EID 12/13)
    (
      qidname(qid) IN ('Registry object added or deleted', 'Registry value set')
      AND LOWER("RegistryKey") LIKE '%hkcu\software\classes\clsid%'
      AND (
        LOWER("RegistryKey") LIKE '%inprocserver32%'
        OR LOWER("RegistryKey") LIKE '%localserver32%'
        OR LOWER("RegistryKey") LIKE '%inprocserver%'
      )
      AND LOWER("RegistryData") NOT LIKE '%c:\windows\system32%'
      AND LOWER("RegistryData") NOT LIKE '%c:\program files%'
    )
  )
ORDER BY starttime DESC

high severity high confidence

Data Sources

Microsoft Windows Security Event Log via QRadar DSM Sysmon via Windows Event Log DSM QRadar Endpoint Detection

Required Tables

events

False Positives

Legitimate PowerShell automation scripts in enterprise environments routinely use COM objects like Shell.Application or WScript.Shell for scheduled tasks, file operations, or UI automation via deployment frameworks
Windows thumbnail extraction via dllhost.exe routinely spawns short-lived worker processes; imaging or Office document previewing may generate these events at high volume without malicious intent
Software uninstallers and update mechanisms (e.g. Adobe, Microsoft Office updaters) commonly write temporary COM server registrations under HKCU\Software\Classes\CLSID during installation or update workflows

Sumo Logic CSE

sql

(_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security")
| parse field=Message "Image: *" as process_image nodrop
| parse field=Message "CommandLine: *" as command_line nodrop
| parse field=Message "ParentImage: *" as parent_image nodrop
| parse field=Message "TargetObject: *" as registry_key nodrop
| parse field=Message "Details: *" as registry_data nodrop
| parse field=Message "User: *" as username nodrop
| parse field=Message "Computer: *" as hostname nodrop
| parse field=Message "EventID: *" as event_id nodrop
// Branch 1: Script host COM instantiation
| eval is_script_host = if(
    event_id = "1" AND
    (
      toLowerCase(process_image) matches ".*\\\\(powershell|pwsh|wscript|cscript|mshta)\.exe$"
    ),
    1, 0)
| eval is_com_pattern = if(
    is_script_host = 1 AND
    (
      toLowerCase(command_line) contains "-comobject" OR
      toLowerCase(command_line) contains "createobject(" OR
      toLowerCase(command_line) contains "gettypefromclsid" OR
      (toLowerCase(command_line) contains "activator" AND toLowerCase(command_line) contains "createinstance") OR
      toLowerCase(command_line) contains "mmc20.application" OR
      toLowerCase(command_line) contains "shellwindows" OR
      toLowerCase(command_line) contains "shellbrowserwindow" OR
      toLowerCase(command_line) contains "wscript.shell" OR
      toLowerCase(command_line) contains "shell.application" OR
      toLowerCase(command_line) contains "schedule.service" OR
      toLowerCase(command_line) contains "cmluautil" OR
      toLowerCase(command_line) contains "49b2791a" OR
      toLowerCase(command_line) contains "9ba05972" OR
      toLowerCase(command_line) contains "c08afd90" OR
      toLowerCase(command_line) contains "6edd6d74" OR
      toLowerCase(command_line) contains "0f87369f" OR
      toLowerCase(command_line) contains "microsoft.office.interop"
    ),
    1, 0)
// Branch 2: dllhost.exe surrogate children
| eval is_dllhost_child = if(
    event_id = "1" AND
    toLowerCase(parent_image) matches ".*\\\\dllhost\.exe$" AND
    (
      toLowerCase(process_image) matches ".*\\\\(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|certutil|net|net1|whoami|curl|wget|bitsadmin)\.exe$"
    ),
    1, 0)
// Branch 3: COM hijacking via HKCU registry
| eval is_com_hijack = if(
    (event_id = "12" OR event_id = "13") AND
    toLowerCase(registry_key) contains "hkcu\\software\\classes\\clsid" AND
    (
      toLowerCase(registry_key) contains "inprocserver32" OR
      toLowerCase(registry_key) contains "localserver32" OR
      toLowerCase(registry_key) contains "inprocserver"
    ) AND
    !(toLowerCase(registry_data) contains "c:\\windows\\system32" OR
      toLowerCase(registry_data) contains "c:\\program files"),
    1, 0)
| where is_com_pattern = 1 OR is_dllhost_child = 1 OR is_com_hijack = 1
| eval detection_source = if(is_com_hijack = 1, "COMHijacking",
                          if(is_dllhost_child = 1, "DllHostSurrogate",
                          if(is_com_pattern = 1, "ScriptCOMAbuse", "Unknown")))
| eval cmd_or_reg = if(!isNull(command_line), command_line, registry_key)
| fields _messageTime, hostname, username, process_image, cmd_or_reg, parent_image, registry_data, detection_source
| sort by _messageTime desc

high severity high confidence

Data Sources

Sumo Logic Installed Collector with Sysmon source Windows Event Logs via Sumo Logic Universal Forwarder Sumo Logic Cloud SIEM Enterprise normalized Windows events

Required Tables

windows/sysmon windows/security

False Positives

IT automation and RPA (Robotic Process Automation) platforms like UiPath or Blue Prism routinely spawn scripting hosts that instantiate COM objects such as Shell.Application for desktop automation, creating high-volume benign matches
dllhost.exe is the host process for out-of-process COM servers and will spawn child processes during legitimate operations like Windows Photo Viewer, OneDrive sync, and legacy Office 32-bit COM interop
Developers working with Office COM interop libraries in .NET (Microsoft.Office.Interop.*) will routinely trigger the script COM pattern during build and test workflows on developer workstations

Google Chronicle / SecOps

yaral

rule t1559_001_com_abuse {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects COM abuse (T1559.001) via script host COM instantiation, dllhost.exe surrogate children, and COM hijacking via HKCU CLSID registry modification"
    mitre_attack_tactic = "Execution"
    mitre_attack_technique = "T1559.001"
    severity = "HIGH"
    priority = "HIGH"
    version = "1.0"
    created = "2026-04-20"

  events:
    // Branch 1: Script host COM instantiation
    (
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      and (
        re.regex($e1.principal.process.file.full_path, `(?i)\\(powershell|pwsh|wscript|cscript|mshta)\.exe$`)
      )
      and (
        re.regex($e1.target.process.command_line, `(?i)(-ComObject|CreateObject\(|GetTypeFromCLSID|activator.*CreateInstance)`)
        or re.regex($e1.target.process.command_line, `(?i)(MMC20\.Application|ShellWindows|ShellBrowserWindow|WScript\.Shell|Shell\.Application|Schedule\.Service|CMLuaUtil|InternetExplorer\.Application|Microsoft\.Office\.Interop)`)
        or re.regex($e1.target.process.command_line, `(?i)(49B2791A|9BA05972|C08AFD90|6EDD6D74|0F87369F)`)
      )
    )
    or
    // Branch 2: dllhost.exe COM surrogate spawning unexpected children
    (
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      and re.regex($e1.principal.process.file.full_path, `(?i)\\dllhost\.exe$`)
      and re.regex($e1.target.process.file.full_path, `(?i)\\(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|certutil|net|net1|whoami|curl|wget|bitsadmin)\.exe$`)
    )
    or
    // Branch 3: COM hijacking via HKCU CLSID registry write
    (
      $e1.metadata.event_type = "REGISTRY_MODIFICATION"
      and re.regex($e1.target.registry.registry_key, `(?i)HKCU\\Software\\Classes\\CLSID`)
      and re.regex($e1.target.registry.registry_key, `(?i)(InProcServer32|LocalServer32|InProcServer)`)
      and not re.regex($e1.target.registry.registry_value_data, `(?i)(C:\\Windows\\System32|C:\\Program Files)`)
    )

  condition:
    $e1
}

high severity high confidence

Data Sources

Chronicle UDM normalized Windows endpoint events Google Chronicle Forwarder with Windows Event Log or Sysmon Chronicle ingestion of CrowdStrike or Carbon Black telemetry mapped to UDM

Required Tables

UDM process events (PROCESS_LAUNCH) UDM registry events (REGISTRY_MODIFICATION)

False Positives

Windows management scripts deployed via Group Policy or SCCM using PowerShell with COM objects (WScript.Shell, Shell.Application, Schedule.Service) for inventory, patch management, or application deployment will match Branch 1 at high frequency in managed enterprise environments
Anti-virus and endpoint protection products routinely use dllhost.exe as a host process for scan engines and may spawn cmd.exe or PowerShell for remediation actions, triggering Branch 2 with benign intent
Software development workflows on Windows involving COM interop testing, Office automation testing, or COM server registration/unregistration will write CLSID entries to HKCU during testing, matching Branch 3 without malicious intent

CrowdStrike LogScale (CQL)

cql

// Branch 1: Script host COM object instantiation
(
  #event_simpleName = "ProcessRollup2"
  | ImageFileName = /(powershell|pwsh|wscript|cscript|mshta)\.exe$/i
  | CommandLine = /(-ComObject|CreateObject\(|GetTypeFromCLSID|activator.*CreateInstance|MMC20\.Application|ShellWindows|ShellBrowserWindow|WScript\.Shell|Shell\.Application|Schedule\.Service|CMLuaUtil|InternetExplorer\.Application|Microsoft\.Office\.Interop|49B2791A|9BA05972|C08AFD90|6EDD6D74|0F87369F)/i
  | TargetProcessId != null
  | eval DetectionSource = "ScriptCOMAbuse"
)

union

// Branch 2: dllhost.exe surrogate spawning suspicious child processes
(
  #event_simpleName = "ProcessRollup2"
  | ParentBaseFileName = /^dllhost\.exe$/i
  | ImageFileName = /(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|certutil|net|net1|whoami|curl|wget|bitsadmin)\.exe$/i
  | eval DetectionSource = "DllHostSurrogate"
)

union

// Branch 3: COM hijacking via HKCU CLSID registry write
(
  #event_simpleName in ("RegGenericValueUpdate", "RegistryOperationCreate", "RegistryOperationUpdate")
  | RegObjectName = /HKCU\\Software\\Classes\\CLSID/i
  | RegObjectName = /(InProcServer32|LocalServer32|InProcServer)/i
  | RegStringValue != /^(C:\\Windows\\System32|C:\\Program Files)/i
  | eval DetectionSource = "COMHijacking"
)

| table(["@timestamp", "ComputerName", "UserName", "ImageFileName", "CommandLine", "ParentBaseFileName", "RegObjectName", "RegStringValue", "DetectionSource", "aid"])
| sort(field="@timestamp", order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection Falcon Insight XDR process telemetry Falcon registry monitoring via kernel sensor

Required Tables

ProcessRollup2 RegGenericValueUpdate RegistryOperationCreate RegistryOperationUpdate

False Positives

CrowdStrike Falcon sensors on workstations running enterprise automation tools (AutoIt, AutoHotKey, or Macro schedulers) that leverage COM for UI automation will generate high-volume ScriptCOMAbuse matches as these legitimately use CreateObject() and WScript.Shell
Microsoft SCCM and Intune client agents use dllhost.exe-hosted COM servers for WMI and software inventory operations and may spawn cmd.exe or PowerShell subprocesses as part of legitimate client health workflows, triggering the DllHostSurrogate branch
Legitimate user-mode COM server installations during application setup (e.g., Acrobat, VLC, or development tools registering shell extensions) will write HKCU\Software\Classes\CLSID entries pointing to non-system paths, generating COMHijacking alerts during installation

Last updated: 2026-04-20 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1559.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Component Object Model

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Execution

Popular Detections