Introduction to COM Usage by Windows Threats
Introduction to COM Usage by Windows Threats
Component Object Model (COM) is a fundamental Windows technology used by legitimate applications for object activation, inter-process communication, automation, and language-independent component reuse. However, these same qualities make it useful to threat actors. 🚨 Malware frequently utilizes COM interfaces for lateral movement, execution, download and exfiltration, persistence, evasion, system discovery, and automation of built-in Windows and Office functionality.
COM is an application binary interface (ABI) model for reusing software components. Distributed COM (DCOM) extends COM so a client can activate and use COM objects on another system. The existence of the CoCreateInstanceEx API in a binary, with the appropriate parameters, can be used to distinguish between local COM and DCOM. DCOM is also explicitly represented in MITRE ATT&CK as one of the techniques and is described in Remote Services: Distributed Component Object Model, T1021.003.
COM classes are templates for creating COM objects, identified by a class identifier (CLSID), a GUID that uniquely identifies the component. The string representation of a GUID is common in the Windows registry, scripts, and configuration text, typically formatted as {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}. Readers should be aware that many malware families assemble GUID structures dynamically on the stack before attempting to create a new object, making the analysis process harder.
Interfaces are also represented by interface identifiers (IIDs), which define methods an object exposes to clients. A common example used in malware is the Windows Task Scheduler service. The newer Task Scheduler 2.0 COM class is commonly referenced by the CLSID {0F87369F-A4E5-4CFC-BD3E-73E6154572DD}. The ITaskService interface has IID {2FABA4C7-4DA9-4013-9697-20CC3FD40F85} and provides access to the Task Scheduler service for managing registered tasks.
In binaries, the analyst may see either a readable ProgID string, a string-form GUID, or the little-endian binary representation of the CLSID. Malware is most commonly just a COM client. For reverse engineers, the dwClsContext argument supplied to activation APIs such as CoCreateInstance tells COM which server locations are acceptable, providing useful context, as they indicate whether the sample is trying to load a DLL into its own process, talk to a local EXE or service, or reach a remote DCOM server.
To read the complete article see: Read full article