Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Техника COM-модель
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
EN
Риски
Каталоги
MITRE ATT&CK
Техника
COM-модель
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Inter-Process Communication:  COM-модель

ID Название
.001 COM-модель
.002 Динамический обмен данными
.003 Сервисы XPC

Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces.(Citation: Fireeye Hunting COM June 2019) Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE).(Citation: Microsoft COM) Remote COM execution is facilitated by Remote Services such as Distributed Component Object Model (DCOM).(Citation: Fireeye Hunting COM June 2019) Various COM interfaces are exposed that can be abused to invoke arbitrary execution via a variety of programming languages such as C, C++, Java, and Visual Basic.(Citation: Microsoft COM) Specific COM objects also exist to directly perform functions beyond code execution, such as creating a Scheduled Task/Job, fileless download/execution, and other adversary behaviors related to privilege escalation and persistence.(Citation: Fireeye Hunting COM June 2019)(Citation: ProjectZero File Write EoP Apr 2018)

ID: T1559.001
Относится к технике:  T1559
Тактика(-и): Execution
Платформы: Windows
Источники данных: Module: Module Load, Process: Process Creation, Script: Script Execution
Версия: 1.1
Дата создания: 12 Feb 2020
Последнее изменение: 26 Jul 2021

Примеры процедур
Название Описание
POWERSTATS

POWERSTATS can use DCOM (targeting the 127.0.0.1 loopback address) to execute additional payloads on compromised hosts.(Citation: FireEye MuddyWater Mar 2018)
TrickBot

TrickBot used COM to setup scheduled task for persistence.(Citation: ESET Trickbot Oct 2020)
InvisiMole

InvisiMole can use the ITaskService, ITaskDefinition and ITaskSettings COM interfaces to schedule a task.(Citation: ESET InvisiMole June 2020)
FunnyDream

FunnyDream can use com objects identified with `CLSID_ShellLink`(`IShellLink` and `IPersistFile`) and `WScript.Shell`(`RegWrite` method) to enable persistence mechanisms.(Citation: Bitdefender FunnyDream Campaign November 2020)
MuddyWater

MuddyWater has used malware that has the capability to execute malicious code via COM, DCOM, and Outlook.(Citation: Securelist MuddyWater Oct 2018)(Citation: ClearSky MuddyWater June 2019)(Citation: DHS CISA AA22-055A MuddyWater February 2022)
Ursnif

Ursnif droppers have used COM objects to execute the malware's full executable payload.(Citation: Bromium Ursnif Mar 2017)
Milan

Milan can use a COM component to generate scheduled tasks.(Citation: ClearSky Siamesekitten August 2021)
Gamaredon Group

Gamaredon Group malware can insert malicious macros into documents using a Microsoft.Office.Interop object.(Citation: ESET Gamaredon June 2020)

HermeticWizard

HermeticWizard can execute files on remote machines using DCOM.(Citation: ESET Hermetic Wizard March 2022)
Neoichor

Neoichor can use the Internet Explorer (IE) COM interface to connect and receive commands from C2.(Citation: Microsoft NICKEL December 2021)
Bumblebee

Bumblebee can use a COM object to execute queries to gather system information.(Citation: Proofpoint Bumblebee April 2022)
Ramsay

Ramsay can use the Windows COM API to schedule tasks and maintain persistence.(Citation: Eset Ramsay May 2020)
Gelsemium

Gelsemium can use the `IARPUinstallerStringLauncher` COM interface are part of its UAC bypass process.(Citation: ESET Gelsemium June 2021)

Контрмеры
Контрмера Описание
Privileged Account Management

Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.
Application Isolation and Sandboxing

Restrict execution of code to a virtual environment on or in transit to an endpoint system.

Обнаружение

Monitor for COM objects loading DLLs and other modules not typically associated with the application.(Citation: Enigma Outlook DCOM Lateral Movement Nov 2017) Enumeration of COM objects, via Query Registry or PowerShell, may also proceed malicious use.(Citation: Fireeye Hunting COM June 2019)(Citation: Enigma MMC20 COM Jan 2017) Monitor for spawning of processes associated with COM objects, especially those invoked by a user different than the one currently logged on.

Ссылки

  1. Nelson, M. (2017, January 5). Lateral Movement using the MMC20 Application COM Object. Retrieved November 21, 2017.
  2. Nelson, M. (2017, November 16). Lateral Movement using Outlook's CreateObject Method and DotNetToJScript. Retrieved November 21, 2017.
  3. Forshaw, J. (2018, April 18). Windows Exploitation Tricks: Exploiting Arbitrary File Writes for Local Elevation of Privilege. Retrieved May 3, 2018.
  4. Microsoft. (n.d.). Component Object Model (COM). Retrieved November 22, 2017.
  5. Hamilton, C. (2019, June 4). Hunting COM Objects. Retrieved June 10, 2019.
  6. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
  7. Microsoft. (n.d.). What is Protected View?. Retrieved November 22, 2017.
  8. MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022.
  9. Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.
  10. FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.
  11. ClearSky. (2019, June). Iranian APT group ‘MuddyWater’ Adds Exploits to Their Arsenal. Retrieved May 14, 2020.
  12. Holland, A. (2019, March 7). Tricks and COMfoolery: How Ursnif Evades Detection. Retrieved June 10, 2019.
  13. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  14. Boutin, J. (2020, October 12). ESET takes part in global operation to disrupt Trickbot. Retrieved March 15, 2021.
  15. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
  16. Microsoft. (n.d.). DCOM Security Enhancements in Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1. Retrieved November 22, 2017.
  17. Microsoft. (n.d.). Registry Values for System-Wide Security. Retrieved November 21, 2017.
  18. Microsoft. (n.d.). Setting Process-Wide Security Through the Registry. Retrieved November 21, 2017.
  19. Merriman, K. and Trouerbach, P. (2022, April 28). This isn't Optimus Prime's Bumblebee but it's Still Transforming. Retrieved August 22, 2022.
  20. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020.
  21. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
  22. ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022.
  23. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
  24. ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.