Which SIEM platforms have a T1559.001 detection rule?

df00tech provides T1559.001 (Component Object Model) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Component Object Model (T1559.001)?

Detecting Component Object Model requires the following data sources: Process: Process Creation, Windows Registry: Windows Registry Key Modification, Microsoft Defender for Endpoint.

What severity and confidence is the T1559.001 detection?

The T1559.001 detection is rated high severity with medium confidence.

What are common false positives for T1559.001?

Common false positives for T1559.001 include: IT administration scripts using New-Object -ComObject Shell.Application or WScript.Shell for legitimate file operations and system management; Software installers and MSI packages that use COM objects during installation (WScript.Shell to write registry keys, Shell.Application to extract files); Legitimate user-space COM registration by applications such as Python pywin32, LibreOffice, or other third-party software that registers DLLs under HKCU\Software\Classes\CLSID.

T1559.001 Elastic Security · Elastic

Detect Component Object Model in Elastic Security

Adversaries abuse the Windows Component Object Model (COM) to execute arbitrary code locally. COM is a binary interface standard enabling inter-process communication between software objects through defined interfaces. Threat actors leverage COM by instantiating known objects (WScript.Shell, Shell.Application, MMC20.Application, Schedule.Service) via scripting hosts, hijacking COM object registrations in HKCU to redirect execution to malicious DLLs, or using elevated COM interfaces (CMLuaUtil) to bypass User Account Control. Real-world use includes TrickBot and Latrodectus creating scheduled tasks via ITaskService, MuddyWater executing payloads via DCOM loopback, Gamaredon injecting macros via Microsoft.Office.Interop objects, and Raspberry Robin abusing CMLuaUtil for UAC bypass. Unlike DCOM (T1021.003), this technique focuses on local COM execution rather than remote lateral movement.

MITRE ATT&CK

Tactic: Execution
Technique: T1559 Inter-Process Communication
Sub-technique: T1559.001 Component Object Model
Canonical reference: https://attack.mitre.org/techniques/T1559/001/

Elastic Detection Query

Elastic Security (Elastic)

eql

sequence by host.name with maxspan=5m
[
  any where event.category == "process" and
  process.name in~ ("powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe") and
  (
    process.args : ("-ComObject", "*CreateObject(*", "*GetTypeFromCLSID*", "*CreateInstance*") or
    process.command_line : ("*MMC20.Application*", "*ShellWindows*", "*ShellBrowserWindow*", "*WScript.Shell*", "*Shell.Application*", "*Schedule.Service*", "*CMLuaUtil*", "*InternetExplorer.Application*", "*Microsoft.Office.Interop*", "*49B2791A*", "*9BA05972*", "*C08AFD90*", "*6EDD6D74*", "*0F87369F*")
  )
] by process.entity_id

pipe

sequence by host.name with maxspan=30s
[
  process where event.type == "start" and
  process.parent.name : "dllhost.exe" and
  process.name in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "net.exe", "net1.exe", "whoami.exe", "ipconfig.exe", "curl.exe", "wget.exe", "bitsadmin.exe")
] by process.entity_id

/* Alternate: COM Hijacking via registry */
/* registry where registry.path : "*\\SOFTWARE\\Classes\\CLSID\\*" and
   registry.value in~ ("InProcServer32", "LocalServer32", "InProcServer") and
   not registry.data.strings : ("C:\\Windows\\System32\\*", "C:\\Program Files\\*", "C:\\Program Files (x86)\\*") */

high severity high confidence

Detects Windows COM abuse (T1559.001) across three behavioral patterns: (1) script hosts invoking suspicious COM objects or using COM instantiation patterns, (2) the COM surrogate process dllhost.exe spawning unexpected shell/utility children, and (3) COM hijacking via HKCU CLSID registry key modification to redirect execution. Covers TrickBot ITaskService abuse, MuddyWater DCOM loopback, and CMLuaUtil UAC bypass patterns.

Data Sources

Elastic EndpointElastic AgentWindows Event Logs via WinlogbeatSysmon via Winlogbeat

Required Tables

logs-endpoint.events.process-*logs-endpoint.events.registry-*logs-windows.*

False Positives & Tuning

Legitimate administrative scripts that use COM objects such as WScript.Shell or Shell.Application for automation tasks like software deployment or configuration management
dllhost.exe legitimately spawns child processes during thumbnail generation, Windows Search indexing, or when hosting out-of-process COM servers for applications like Office or Windows Explorer
Enterprise software packaging tools (SCCM, PDQ Deploy, Ansible) may invoke COM interfaces for system configuration and will trigger the script-host COM pattern

Download portable Sigma rule (.yml)

Other platforms for T1559.001

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Scheduled Task Creation via ITaskService COM Interface
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Schedule.Service' and 'ITaskService'. Windows Task Scheduler Operational log Event ID 106 (task registered) for 'df00tech-COM-test'. Security Event ID 4698 (scheduled task created) if task auditing is enabled. PowerShell Script Block Log Event ID 4104 with the full COM invocation code.
Test 2Shell.Application COM Object Code Execution
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Shell.Application' and 'ShellExecute'. Second Sysmon Event ID 1 for calc.exe with ParentImage=explorer.exe or svchost.exe (the COM process host — ShellExecute routes through explorer.exe's COM server). Security Event ID 4688 for calc.exe process creation. PowerShell Script Block Log Event ID 4104.
Test 3WScript.Shell COM Execution with Run Method
Expected signal: Sysmon Event ID 1: powershell.exe with 'WScript.Shell' in CommandLine. Sysmon Event ID 1: cmd.exe spawned (parent will be wscript.exe or svchost.exe depending on activation context, NOT powershell.exe). Sysmon Event ID 11: file create for df00tech-com-test.txt. PowerShell Script Block Log Event ID 4104.
Test 4COM Hijacking via HKCU CLSID Registration
Expected signal: Sysmon Event ID 12 (Registry Object Create): TargetObject=HKCU\Software\Classes\CLSID\{DF000001-...}\InProcServer32. Sysmon Event ID 13 (Registry Value Set): TargetObject containing InProcServer32 with Details=%APPDATA%\df00tech-evil.dll. Security Event ID 4657 (registry value modified) if object access auditing is enabled. The ThreadingModel value is a hallmark of legitimate InProcServer32 registrations that malware mimics.

Last updated: 2026-04-20 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1559.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Detect Component Object Model in Elastic Security

MITRE ATT&CK

Elastic Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1559.001

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Execution

Popular Detections

MITRE ATT&CK

Elastic Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1559.001

Testing Methodology

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Execution

Popular Detections

Get new detections in your inbox