1-MITRE ATT&CK
2-MITRE ATT&CK
Persistence via COM Hijacking
☝️☝️☝️☝️☝️☝️☝️☝️☝️☝️☝️☝️☝️
Microsoft Office provides automation features through VBA macros and COM add-ins, both of which attackers can abuse to achieve persistence
These methods allow malicious code to execute whenever Office applications launch, often without user awareness
Mechanisms
VBA Macros:
- VBA (Visual Basic for Applications) is a scripting language embedded in Office apps (Word, Excel, Outlook)
- Attackers embed malicious macros that execute automatically when a document is opened, if macros are enabled
- Example: Opening
invoice.xlsm triggers a hidden macro that launches cmd.exe to run a malicious payload
COM Add-ins:
- Component Object Model (COM) enables applications to extend functionality.
- Attackers register a malicious COM add-in, executing code whenever the associated Office application starts.
- Example: A rogue Outlook COM add-in runs on startup, allowing persistent email-based attacks (e.g., forwarding messages to the attacker).
Office Startup Locations:
- Certain Office directories automatically execute files on application launch.
- Attackers drop malicious files or templates here to maintain persistence.