Detect Component Object Model in IBM QRadar
Adversaries abuse the Windows Component Object Model (COM) to execute arbitrary code locally. COM is a binary interface standard enabling inter-process communication between software objects through defined interfaces. Threat actors leverage COM by instantiating known objects (WScript.Shell, Shell.Application, MMC20.Application, Schedule.Service) via scripting hosts, hijacking COM object registrations in HKCU to redirect execution to malicious DLLs, or using elevated COM interfaces (CMLuaUtil) to bypass User Account Control. Real-world use includes TrickBot and Latrodectus creating scheduled tasks via ITaskService, MuddyWater executing payloads via DCOM loopback, Gamaredon injecting macros via Microsoft.Office.Interop objects, and Raspberry Robin abusing CMLuaUtil for UAC bypass. Unlike DCOM (T1021.003), this technique focuses on local COM execution rather than remote lateral movement.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1559 Inter-Process Communication
- Sub-technique
- T1559.001 Component Object Model
- Canonical reference
- https://attack.mitre.org/techniques/T1559/001/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
devicehostname AS host,
username,
"ProcessImage" AS process_image,
"CommandLine" AS command_line,
"ParentProcessImage" AS parent_image,
"RegistryKey" AS registry_key,
CASE
WHEN "RegistryKey" LIKE '%HKCU\Software\Classes\CLSID%' THEN 'COMHijacking'
WHEN "ParentProcessImage" LIKE '%\dllhost.exe' THEN 'DllHostSurrogate'
ELSE 'ScriptCOMAbuse'
END AS detection_source,
logsourcename(logsourceid) AS log_source
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
AND DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') > DATEADD('hour', -24, NOW())
AND (
-- Branch 1: Script host COM instantiation (Sysmon EID 1)
(
qidname(qid) = 'Process Create'
AND (
LOWER("ProcessImage") LIKE '%\powershell.exe'
OR LOWER("ProcessImage") LIKE '%\pwsh.exe'
OR LOWER("ProcessImage") LIKE '%\wscript.exe'
OR LOWER("ProcessImage") LIKE '%\cscript.exe'
OR LOWER("ProcessImage") LIKE '%\mshta.exe'
)
AND (
LOWER("CommandLine") LIKE '%-comobject%'
OR LOWER("CommandLine") LIKE '%createobject(%'
OR LOWER("CommandLine") LIKE '%gettypefromclsid%'
OR LOWER("CommandLine") LIKE '%createinstance%'
OR LOWER("CommandLine") LIKE '%mmc20.application%'
OR LOWER("CommandLine") LIKE '%shellwindows%'
OR LOWER("CommandLine") LIKE '%schedule.service%'
OR LOWER("CommandLine") LIKE '%wscript.shell%'
OR LOWER("CommandLine") LIKE '%shell.application%'
OR LOWER("CommandLine") LIKE '%cmluautil%'
OR LOWER("CommandLine") LIKE '%49b2791a%'
OR LOWER("CommandLine") LIKE '%9ba05972%'
OR LOWER("CommandLine") LIKE '%c08afd90%'
OR LOWER("CommandLine") LIKE '%6edd6d74%'
OR LOWER("CommandLine") LIKE '%microsoft.office.interop%'
)
)
OR
-- Branch 2: dllhost.exe spawning suspicious children (Sysmon EID 1)
(
qidname(qid) = 'Process Create'
AND LOWER("ParentProcessImage") LIKE '%\dllhost.exe'
AND (
LOWER("ProcessImage") LIKE '%\cmd.exe'
OR LOWER("ProcessImage") LIKE '%\powershell.exe'
OR LOWER("ProcessImage") LIKE '%\pwsh.exe'
OR LOWER("ProcessImage") LIKE '%\wscript.exe'
OR LOWER("ProcessImage") LIKE '%\cscript.exe'
OR LOWER("ProcessImage") LIKE '%\mshta.exe'
OR LOWER("ProcessImage") LIKE '%\rundll32.exe'
OR LOWER("ProcessImage") LIKE '%\regsvr32.exe'
OR LOWER("ProcessImage") LIKE '%\certutil.exe'
OR LOWER("ProcessImage") LIKE '%\whoami.exe'
OR LOWER("ProcessImage") LIKE '%\curl.exe'
OR LOWER("ProcessImage") LIKE '%\bitsadmin.exe'
)
)
OR
-- Branch 3: COM hijacking via HKCU CLSID (Sysmon EID 12/13)
(
qidname(qid) IN ('Registry object added or deleted', 'Registry value set')
AND LOWER("RegistryKey") LIKE '%hkcu\software\classes\clsid%'
AND (
LOWER("RegistryKey") LIKE '%inprocserver32%'
OR LOWER("RegistryKey") LIKE '%localserver32%'
OR LOWER("RegistryKey") LIKE '%inprocserver%'
)
AND LOWER("RegistryData") NOT LIKE '%c:\windows\system32%'
AND LOWER("RegistryData") NOT LIKE '%c:\program files%'
)
)
ORDER BY starttime DESCAQL query targeting Sysmon events (EID 1 process create, EID 12/13 registry operations) to detect COM abuse patterns: scripting host COM instantiation using known malicious COM class names or instantiation APIs, dllhost.exe COM surrogate spawning shell/utility children, and COM hijacking via HKCU CLSID registry writes pointing outside trusted paths.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate PowerShell automation scripts in enterprise environments routinely use COM objects like Shell.Application or WScript.Shell for scheduled tasks, file operations, or UI automation via deployment frameworks
- Windows thumbnail extraction via dllhost.exe routinely spawns short-lived worker processes; imaging or Office document previewing may generate these events at high volume without malicious intent
- Software uninstallers and update mechanisms (e.g. Adobe, Microsoft Office updaters) commonly write temporary COM server registrations under HKCU\Software\Classes\CLSID during installation or update workflows
Other platforms for T1559.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Scheduled Task Creation via ITaskService COM Interface
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Schedule.Service' and 'ITaskService'. Windows Task Scheduler Operational log Event ID 106 (task registered) for 'df00tech-COM-test'. Security Event ID 4698 (scheduled task created) if task auditing is enabled. PowerShell Script Block Log Event ID 4104 with the full COM invocation code.
- Test 2Shell.Application COM Object Code Execution
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Shell.Application' and 'ShellExecute'. Second Sysmon Event ID 1 for calc.exe with ParentImage=explorer.exe or svchost.exe (the COM process host — ShellExecute routes through explorer.exe's COM server). Security Event ID 4688 for calc.exe process creation. PowerShell Script Block Log Event ID 4104.
- Test 3WScript.Shell COM Execution with Run Method
Expected signal: Sysmon Event ID 1: powershell.exe with 'WScript.Shell' in CommandLine. Sysmon Event ID 1: cmd.exe spawned (parent will be wscript.exe or svchost.exe depending on activation context, NOT powershell.exe). Sysmon Event ID 11: file create for df00tech-com-test.txt. PowerShell Script Block Log Event ID 4104.
- Test 4COM Hijacking via HKCU CLSID Registration
Expected signal: Sysmon Event ID 12 (Registry Object Create): TargetObject=HKCU\Software\Classes\CLSID\{DF000001-...}\InProcServer32. Sysmon Event ID 13 (Registry Value Set): TargetObject containing InProcServer32 with Details=%APPDATA%\df00tech-evil.dll. Security Event ID 4657 (registry value modified) if object access auditing is enabled. The ThreadingModel value is a hallmark of legitimate InProcServer32 registrations that malware mimics.
References (10)
- https://attack.mitre.org/techniques/T1559/001/
- https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html
- https://msdn.microsoft.com/library/windows/desktop/ms680573.aspx
- https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
- https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.001/T1559.001.md
- https://learn.microsoft.com/en-us/windows/win32/com/com-technical-overview
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceregistryevents-table
- https://www.elastic.co/security-labs/exploring-the-latrodectus-payload
- https://www.welivesecurity.com/2020/10/02/eset-discovers-trickbot-new-module-targeting/
Unlock Pro Content
Get the full detection package for T1559.001 including response playbook, investigation guide, and atomic red team tests.