Inter-Process Communication: COM-модель
Other sub-techniques of Inter-Process Communication (3)
ID | Название |
---|---|
.001 | COM-модель |
.002 | Динамический обмен данными |
.003 | Сервисы XPC |
Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces.(Citation: Fireeye Hunting COM June 2019) Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE).(Citation: Microsoft COM) Remote COM execution is facilitated by Remote Services such as Distributed Component Object Model (DCOM).(Citation: Fireeye Hunting COM June 2019) Various COM interfaces are exposed that can be abused to invoke arbitrary execution via a variety of programming languages such as C, C++, Java, and Visual Basic.(Citation: Microsoft COM) Specific COM objects also exist to directly perform functions beyond code execution, such as creating a Scheduled Task/Job, fileless download/execution, and other adversary behaviors related to privilege escalation and persistence.(Citation: Fireeye Hunting COM June 2019)(Citation: ProjectZero File Write EoP Apr 2018)
Примеры процедур |
|
Название | Описание |
---|---|
POWERSTATS |
POWERSTATS can use DCOM (targeting the 127.0.0.1 loopback address) to execute additional payloads on compromised hosts.(Citation: FireEye MuddyWater Mar 2018) |
TrickBot |
TrickBot used COM to setup scheduled task for persistence.(Citation: ESET Trickbot Oct 2020) |
InvisiMole |
InvisiMole can use the |
FunnyDream |
FunnyDream can use com objects identified with `CLSID_ShellLink`(`IShellLink` and `IPersistFile`) and `WScript.Shell`(`RegWrite` method) to enable persistence mechanisms.(Citation: Bitdefender FunnyDream Campaign November 2020) |
MuddyWater |
MuddyWater has used malware that has the capability to execute malicious code via COM, DCOM, and Outlook.(Citation: Securelist MuddyWater Oct 2018)(Citation: ClearSky MuddyWater June 2019)(Citation: DHS CISA AA22-055A MuddyWater February 2022) |
Ursnif |
Ursnif droppers have used COM objects to execute the malware's full executable payload.(Citation: Bromium Ursnif Mar 2017) |
Milan |
Milan can use a COM component to generate scheduled tasks.(Citation: ClearSky Siamesekitten August 2021) |
Gamaredon Group |
Gamaredon Group malware can insert malicious macros into documents using a |
HermeticWizard |
HermeticWizard can execute files on remote machines using DCOM.(Citation: ESET Hermetic Wizard March 2022) |
Neoichor |
Neoichor can use the Internet Explorer (IE) COM interface to connect and receive commands from C2.(Citation: Microsoft NICKEL December 2021) |
Bumblebee |
Bumblebee can use a COM object to execute queries to gather system information.(Citation: Proofpoint Bumblebee April 2022) |
Ramsay |
Ramsay can use the Windows COM API to schedule tasks and maintain persistence.(Citation: Eset Ramsay May 2020) |
Gelsemium |
Gelsemium can use the `IARPUinstallerStringLauncher` COM interface are part of its UAC bypass process.(Citation: ESET Gelsemium June 2021) |
Контрмеры |
|
Контрмера | Описание |
---|---|
Privileged Account Management |
Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root. |
Application Isolation and Sandboxing |
Restrict execution of code to a virtual environment on or in transit to an endpoint system. |
Обнаружение
Monitor for COM objects loading DLLs and other modules not typically associated with the application.(Citation: Enigma Outlook DCOM Lateral Movement Nov 2017) Enumeration of COM objects, via Query Registry or PowerShell, may also proceed malicious use.(Citation: Fireeye Hunting COM June 2019)(Citation: Enigma MMC20 COM Jan 2017) Monitor for spawning of processes associated with COM objects, especially those invoked by a user different than the one currently logged on.
Ссылки
- Nelson, M. (2017, January 5). Lateral Movement using the MMC20 Application COM Object. Retrieved November 21, 2017.
- Nelson, M. (2017, November 16). Lateral Movement using Outlook's CreateObject Method and DotNetToJScript. Retrieved November 21, 2017.
- Forshaw, J. (2018, April 18). Windows Exploitation Tricks: Exploiting Arbitrary File Writes for Local Elevation of Privilege. Retrieved May 3, 2018.
- Microsoft. (n.d.). Component Object Model (COM). Retrieved November 22, 2017.
- Hamilton, C. (2019, June 4). Hunting COM Objects. Retrieved June 10, 2019.
- Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
- Microsoft. (n.d.). What is Protected View?. Retrieved November 22, 2017.
- MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022.
- Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.
- FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.
- ClearSky. (2019, June). Iranian APT group ‘MuddyWater’ Adds Exploits to Their Arsenal. Retrieved May 14, 2020.
- Holland, A. (2019, March 7). Tricks and COMfoolery: How Ursnif Evades Detection. Retrieved June 10, 2019.
- Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
- Boutin, J. (2020, October 12). ESET takes part in global operation to disrupt Trickbot. Retrieved March 15, 2021.
- Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
- Microsoft. (n.d.). DCOM Security Enhancements in Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1. Retrieved November 22, 2017.
- Microsoft. (n.d.). Registry Values for System-Wide Security. Retrieved November 21, 2017.
- Microsoft. (n.d.). Setting Process-Wide Security Through the Registry. Retrieved November 21, 2017.
- Merriman, K. and Trouerbach, P. (2022, April 28). This isn't Optimus Prime's Bumblebee but it's Still Transforming. Retrieved August 22, 2022.
- Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020.
- Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
- ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022.
- Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
- ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.