T1559.001 Sumo Logic CSE · Sumo

Detect Component Object Model in Sumo Logic CSE

Adversaries abuse the Windows Component Object Model (COM) to execute arbitrary code locally. COM is a binary interface standard enabling inter-process communication between software objects through defined interfaces. Threat actors leverage COM by instantiating known objects (WScript.Shell, Shell.Application, MMC20.Application, Schedule.Service) via scripting hosts, hijacking COM object registrations in HKCU to redirect execution to malicious DLLs, or using elevated COM interfaces (CMLuaUtil) to bypass User Account Control. Real-world use includes TrickBot and Latrodectus creating scheduled tasks via ITaskService, MuddyWater executing payloads via DCOM loopback, Gamaredon injecting macros via Microsoft.Office.Interop objects, and Raspberry Robin abusing CMLuaUtil for UAC bypass. Unlike DCOM (T1021.003), this technique focuses on local COM execution rather than remote lateral movement.

MITRE ATT&CK

Tactic
Execution
Technique
T1559 Inter-Process Communication
Sub-technique
T1559.001 Component Object Model
Canonical reference
https://attack.mitre.org/techniques/T1559/001/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
(_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security")
| parse field=Message "Image: *" as process_image nodrop
| parse field=Message "CommandLine: *" as command_line nodrop
| parse field=Message "ParentImage: *" as parent_image nodrop
| parse field=Message "TargetObject: *" as registry_key nodrop
| parse field=Message "Details: *" as registry_data nodrop
| parse field=Message "User: *" as username nodrop
| parse field=Message "Computer: *" as hostname nodrop
| parse field=Message "EventID: *" as event_id nodrop
// Branch 1: Script host COM instantiation
| eval is_script_host = if(
    event_id = "1" AND
    (
      toLowerCase(process_image) matches ".*\\\\(powershell|pwsh|wscript|cscript|mshta)\.exe$"
    ),
    1, 0)
| eval is_com_pattern = if(
    is_script_host = 1 AND
    (
      toLowerCase(command_line) contains "-comobject" OR
      toLowerCase(command_line) contains "createobject(" OR
      toLowerCase(command_line) contains "gettypefromclsid" OR
      (toLowerCase(command_line) contains "activator" AND toLowerCase(command_line) contains "createinstance") OR
      toLowerCase(command_line) contains "mmc20.application" OR
      toLowerCase(command_line) contains "shellwindows" OR
      toLowerCase(command_line) contains "shellbrowserwindow" OR
      toLowerCase(command_line) contains "wscript.shell" OR
      toLowerCase(command_line) contains "shell.application" OR
      toLowerCase(command_line) contains "schedule.service" OR
      toLowerCase(command_line) contains "cmluautil" OR
      toLowerCase(command_line) contains "49b2791a" OR
      toLowerCase(command_line) contains "9ba05972" OR
      toLowerCase(command_line) contains "c08afd90" OR
      toLowerCase(command_line) contains "6edd6d74" OR
      toLowerCase(command_line) contains "0f87369f" OR
      toLowerCase(command_line) contains "microsoft.office.interop"
    ),
    1, 0)
// Branch 2: dllhost.exe surrogate children
| eval is_dllhost_child = if(
    event_id = "1" AND
    toLowerCase(parent_image) matches ".*\\\\dllhost\.exe$" AND
    (
      toLowerCase(process_image) matches ".*\\\\(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|certutil|net|net1|whoami|curl|wget|bitsadmin)\.exe$"
    ),
    1, 0)
// Branch 3: COM hijacking via HKCU registry
| eval is_com_hijack = if(
    (event_id = "12" OR event_id = "13") AND
    toLowerCase(registry_key) contains "hkcu\\software\\classes\\clsid" AND
    (
      toLowerCase(registry_key) contains "inprocserver32" OR
      toLowerCase(registry_key) contains "localserver32" OR
      toLowerCase(registry_key) contains "inprocserver"
    ) AND
    !(toLowerCase(registry_data) contains "c:\\windows\\system32" OR
      toLowerCase(registry_data) contains "c:\\program files"),
    1, 0)
| where is_com_pattern = 1 OR is_dllhost_child = 1 OR is_com_hijack = 1
| eval detection_source = if(is_com_hijack = 1, "COMHijacking",
                          if(is_dllhost_child = 1, "DllHostSurrogate",
                          if(is_com_pattern = 1, "ScriptCOMAbuse", "Unknown")))
| eval cmd_or_reg = if(!isNull(command_line), command_line, registry_key)
| fields _messageTime, hostname, username, process_image, cmd_or_reg, parent_image, registry_data, detection_source
| sort by _messageTime desc
high severity high confidence

Sumo Logic query over Sysmon operational logs detecting COM abuse (T1559.001) through three branches: script host invocation of known COM objects or instantiation APIs (Sysmon EID 1), COM surrogate dllhost.exe spawning suspicious child processes (Sysmon EID 1), and COM hijacking via HKCU CLSID registry writes to non-standard paths (Sysmon EID 12/13). Covers TrickBot scheduled task creation, CMLuaUtil UAC bypass, and DCOM loopback execution.

Data Sources

Sumo Logic Installed Collector with Sysmon sourceWindows Event Logs via Sumo Logic Universal ForwarderSumo Logic Cloud SIEM Enterprise normalized Windows events

Required Tables

windows/sysmonwindows/security

False Positives & Tuning

  • IT automation and RPA (Robotic Process Automation) platforms like UiPath or Blue Prism routinely spawn scripting hosts that instantiate COM objects such as Shell.Application for desktop automation, creating high-volume benign matches
  • dllhost.exe is the host process for out-of-process COM servers and will spawn child processes during legitimate operations like Windows Photo Viewer, OneDrive sync, and legacy Office 32-bit COM interop
  • Developers working with Office COM interop libraries in .NET (Microsoft.Office.Interop.*) will routinely trigger the script COM pattern during build and test workflows on developer workstations
Download portable Sigma rule (.yml)

Other platforms for T1559.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Scheduled Task Creation via ITaskService COM Interface

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Schedule.Service' and 'ITaskService'. Windows Task Scheduler Operational log Event ID 106 (task registered) for 'df00tech-COM-test'. Security Event ID 4698 (scheduled task created) if task auditing is enabled. PowerShell Script Block Log Event ID 4104 with the full COM invocation code.

  2. Test 2Shell.Application COM Object Code Execution

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Shell.Application' and 'ShellExecute'. Second Sysmon Event ID 1 for calc.exe with ParentImage=explorer.exe or svchost.exe (the COM process host — ShellExecute routes through explorer.exe's COM server). Security Event ID 4688 for calc.exe process creation. PowerShell Script Block Log Event ID 4104.

  3. Test 3WScript.Shell COM Execution with Run Method

    Expected signal: Sysmon Event ID 1: powershell.exe with 'WScript.Shell' in CommandLine. Sysmon Event ID 1: cmd.exe spawned (parent will be wscript.exe or svchost.exe depending on activation context, NOT powershell.exe). Sysmon Event ID 11: file create for df00tech-com-test.txt. PowerShell Script Block Log Event ID 4104.

  4. Test 4COM Hijacking via HKCU CLSID Registration

    Expected signal: Sysmon Event ID 12 (Registry Object Create): TargetObject=HKCU\Software\Classes\CLSID\{DF000001-...}\InProcServer32. Sysmon Event ID 13 (Registry Value Set): TargetObject containing InProcServer32 with Details=%APPDATA%\df00tech-evil.dll. Security Event ID 4657 (registry value modified) if object access auditing is enabled. The ThreadingModel value is a hallmark of legitimate InProcServer32 registrations that malware mimics.

Last updated: 2026-04-20 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1559.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1559Inter-Process Communication

Related Sub-techniques

T1559.002Dynamic Data ExchangeT1559.003XPC Services

Related Techniques

T1559Inter-Process CommunicationT1021.003Distributed Component Object ModelT1053.005Scheduled TaskT1548.002Bypass User Account ControlT1546.015Component Object Model HijackingT1059.001PowerShellT1059.005Visual BasicT1047Windows Management InstrumentationT1027Obfuscated Files or InformationT1204.002Malicious File

Same Tactic: Execution

Popular Detections