Component Object Model Hijacking Overview

An adversary is able to hijack COM references and relationships as a means for persistence by modifying specific registry keys.

Component Object Model Hijacking Analysis

Lab Example

RED TEAM: ATTACK

Rundll32.exe executing an arbitrary executable through a malicious dll replacement.

T1122 - Component Object Hijacking 1

The end result is whenever a thumbnail is viewed, the calculator is executed on this host.

BLUE TEAM: DEFEND

The DLLHost parent executable gives away the impacted CLSID (Com Object) registry key and we can use this to remediate the system.

T1122 - Component Object Hijacking 2