title: Component Object Model (T1559.001)
id: df00tech-t1559-001
status: experimental
description: "Adversaries abuse the Windows Component Object Model (COM) to execute arbitrary code locally. COM is a binary interface standard enabling inter-process communication between software objects through defined interfaces. Threat actors leverage COM by instantiating known objects (WScript.Shell, Shell.Application, MMC20.Application, Schedule.Service) via scripting hosts, hijacking COM object registrations in HKCU to redirect execution to malicious DLLs, or using elevated COM interfaces (CMLuaUtil) to bypass User Account Control. Real-world use includes TrickBot and Latrodectus creating scheduled tasks via ITaskService, MuddyWater executing payloads via DCOM loopback, Gamaredon injecting macros via Microsoft.Office.Interop objects, and Raspberry Robin abusing CMLuaUtil for UAC bypass. Unlike DCOM (T1021.003), this technique focuses on local COM execution rather than remote lateral movement."
references:
  - https://attack.mitre.org/techniques/T1559/001/
  - https://df00tech.com/detections/T1559.001
author: df00tech
date: 2026/04/20
tags:
  - attack.t1559.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - IT administration scripts using New-Object -ComObject Shell.Application or WScript.Shell for legitimate file operations and system management
  - "Software installers and MSI packages that use COM objects during installation (WScript.Shell to write registry keys, Shell.Application to extract files)"
  - "Legitimate user-space COM registration by applications such as Python pywin32, LibreOffice, or other third-party software that registers DLLs under HKCU\\Software\\Classes\\CLSID"
  - "Monitoring agents and RMM tools (SolarWinds, ConnectWise, Datto) that use COM interfaces for system inventory or remote management"
  - "Development environments (Visual Studio, Python, Node.js) that routinely invoke COM interfaces for IDE features or build automation"
level: high