THREAT OPS › Threat News › Introduction to COM usage by Windows threats
Introduction to COM usage by Windows threats
<ul><li>Component Object Model (COM) is a fundamental Windows technology used by legitimate applications for object activation, inter-process communication, automation and language-independent component reuse. Those same qualities make it useful to threat actors. </li><li>Malware frequently uses COM interfaces for lateral movement, execution,
MITRE ATT&CK techniques
- Scheduled TaskT1053.005
- Screen CaptureT1113
- MalvertisingT1583.008
- Email CollectionT1114
- Windows ServiceT1543.003
- System ChecksT1497.001
- Component Object ModelT1559.001
- Remote ServicesT1021
- Distributed Component Object ModelT1021.003
- PowerShellT1059.001
- Inter-Process CommunicationT1559
- ImpersonationT1684.001
- ImpersonationAML.T0073
Indicators of compromise
- https://web.archive.org/web/20251029175716/https:/www.japheth.de/Download/COMView.zipurl
- https://hex-rays.com/blog/igors-tip-of-the-week-93-com-reverse-engineering-and-com-helperurl
- https://binary.ninja/2024/02/12/enhancing-com-reverse-engineering.htmlurl
- https://dynamorio.org/url
- https://projectzero.google/2024/12/windows-tooling-updates-oleviewnet.htmlurl
- https://www.malwarebytes.com/blog/news/2014/02/observing-com-within-malicious-codeurl
- storage.ghost.iodomain