Persistence via COM Hijacking

The Component Object Model (COM) is a Windows framework that allows software components to communicate and create dynamic objects. COM objects are often implemented as DLLs and registered in the Windows Registry with unique Class Identifiers (CLSID). Attackers manipulate COM registrations to execute malicious code whenever a COM object is instantiated, providing stealthy persistence.

Key Concepts

COM Objects: Reusable software components providing specific functionality (e.g., Shell.Application interacts with Windows Shell).
CLSID (Class Identifier): Unique identifier for a COM class stored in the Registry (e.g., {D2E7041B-2927-42FB-8E9F-7CE93B6DC937}).
ProgID (Programmatic Identifier): Human-readable string mapping to a CLSID (e.g., Excel.Application).

How Attackers Use It

COM Hijacking:
- Attackers modify the Registry to change the path of a legitimate COM object's CLSID to point to a malicious executable or DLL.
Original key: C:\\Windows\\System32\\Good.dll

Hijacked path: C:\\Users\\Hacker\\Bad.dll
- When the system or an application invokes the COM object, the malicious payload executes. This provides persistent execution under the context of trusted applications.
Example Attack Flow:
- Attacker identifies a COM object loaded by a frequently used application.
- Registry entry for the CLSID is modified to point to a malicious DLL.
- On next application launch, the malicious code executes automatically.

Registry Modification Example

reg add "HKCU\\Software\\Classes\\CLSID\\{MaliciousCLSID}\\InProcServer32" /ve /t REG_SZ /d "C:\\malicious.dll" /f

This registers the attacker's DLL under a COM CLSID, granting persistence whenever the associated application runs.

Detection

Windows Event Logs

Event ID 4657 – Registry value modified; monitor:
- HKLM\\SOFTWARE\\Classes\\CLSID\\
- HKCU\\SOFTWARE\\Classes\\CLSID\\

Sysmon Event IDs

Event ID 13 – Registry object created/modified/deleted (tracks COM-related changes).
Event ID 1 – Process creation; detect unexpected processes spawned by trusted applications (e.g., excel.exe spawning malicious.dll).