Home/ATT&CK Technique/Component Object Model
ATT&CK Technique

Component Object Model

T1559.001 · execution

Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces. Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE).

Remote COM execution is facilitated by Remote Services such as Distributed Component Object Model (DCOM). Various COM interfaces are exposed that can be abused to invoke arbitrary execution via a variety of programming languages such as C, C++, Java, and Visual Basic. Specific COM objects also exist to directly perform functions beyond code execution, such as creating a Scheduled Task/Job, fileless download/execution, and other adversary behaviors related to privilege escalation and persistence.

Windows

Actors Using This

14
franceAnimal Farm
russia_speaking_organized_cybercrimeBumblebee Operators / EXOTIC LILY
chinaChimera (G0114)
iranCyberAv3ngers (IRGC-CEC)
russia_speaking_organized_cybercrimeDarkGate Operators
us_israel_joint_offensive_cyber_speculationDuqu / Duqu 2.0
russia_speaking_organized_cybercrimeFIN8
latin_america_brazilian_organized_cybercrimeGuildma / Astaroth
italian_commercial_spyware_vendor_active_through_memento_labs_rebrandHacking Team (Memento Labs / RCS Lab)
iranHexane / Lyceum (G1001)
russia_speaking_organized_cybercrimeIcedID / BokBot Operators (Lunar Spider)
north_koreaMoonstone Sleet (Storm-1789)
russia_apt_sandwormNotPetya
vietnamOceanLotus / APT32

Likely Attack Path

Techniques the same actors pair with this one distinctively - those showing up among actors who use this technique noticeably more than across all actors (lift > 1.15), grouped by kill-chain phase. The × is that lift multiplier; the shared-actor count is in the tooltip. A near-universal technique pairs with everything at baseline, so its list is short by design.
resource-development earlier
T1608.001 · Upload Malware ×4.39T1608.005 · Link Target ×4.16
privilege-escalation later
T1548.002 · Bypass User Account Control ×5.41
discovery later
T1497.003 · Time Based Checks ×4.23T1069.001 · Local Groups ×3.93T1012 · Query Registry ×3.04T1497.001 · System Checks ×2.99
collection later
T1185 · Browser Session Hijacking ×2.58
command-and-control later
T1571 · Non-Standard Port ×3.61T1071.004 · DNS ×3.52
exfiltration later
T1020 · Automated Exfiltration ×3.19
other same
T1218.010 · Regsvr32 ×5.77T1218.001 · Compiled HTML File ×4.33T1027.003 · Steganography ×3.61T1027.001 · Binary Padding ×2.62

Mitigations

2
MITRE ATT&CK mitigations - vendor-agnostic guidance for reducing exposure to this technique.
M1026Privileged Account Management

Privileged Account Management focuses on implementing policies, controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative accounts). This includes restricting access, limiting the scope of permissions, monitoring privileged account usage, and ensuring accountability through logging and auditing.

Account Permissions and Roles
  • Implement RBAC and least privilege principles to allocate permissions securely.
  • Use tools like Active Directory Group Policies to enforce access restrictions.
Credential Security
  • Deploy password vaulting tools like CyberArk, HashiCorp Vault, or KeePass for secure storage and rotation of credentials.
  • Enforce password policies for complexity, uniqueness, and expiration using tools like Microsoft Group Policy Objects (GPO).
Multi-Factor Authentication (MFA)
  • Enforce MFA for all privileged accounts using Duo Security, Okta, or Microsoft Azure AD MFA.
Privileged Access Management (PAM)
  • Use PAM solutions like CyberArk, BeyondTrust, or Thycotic to manage, monitor, and audit privileged access.
Auditing and Monitoring
  • Integrate activity monitoring into your SIEM (e.g., Splunk or QRadar) to detect and alert on anomalous privileged account usage.
Just-In-Time Access
  • Deploy JIT solutions like Azure Privileged Identity Management (PIM) or configure ephemeral roles in AWS and GCP to grant time-limited elevated permissions.
Tools for Implementation Privileged Access Management (PAM)
  • CyberArk, BeyondTrust, Thycotic, HashiCorp Vault.
Credential Management
  • Microsoft LAPS (Local Admin Password Solution), Password Safe, HashiCorp Vault, KeePass.
Multi-Factor Authentication
  • Duo Security, Okta, Microsoft Azure MFA, Google Authenticator.
Linux Privilege Management
  • sudo configuration, SELinux, AppArmor.
Just-In-Time Access
  • Azure Privileged Identity Management (PIM), AWS IAM Roles with session constraints, GCP Identity-Aware Proxy.
M1048Application Isolation and Sandboxing

Application Isolation and Sandboxing refers to the technique of restricting the execution of code to a controlled and isolated environment (e.g., a virtual environment, container, or sandbox). This method prevents potentially malicious code from affecting the rest of the system or network by limiting access to sensitive resources and critical operations. The goal is to contain threats and minimize their impact.

Browser Sandboxing
  • Use Case: Implement browser sandboxing to isolate untrusted web content and prevent malicious web pages or scripts from accessing sensitive system resources or initiating unauthorized downloads.
  • Implementation: Use browsers with built-in sandboxing features (e.g., Google Chrome, Microsoft Edge) or deploy enhanced browser security frameworks that limit the execution scope of active content. Consider controls that monitor or restrict script-based file generation and downloads commonly abused in evasion techniques like HTML smuggling.
Application Virtualization
  • Use Case: Deploy critical or high-risk applications in a virtualized environment to ensure any compromise does not affect the host system.
  • Implementation: Use application virtualization platforms to run applications in isolated environments.
Email Attachment Sandboxing
  • Use Case: Route email attachments to a sandbox environment to detect and block malware before delivering emails to end-users.
  • Implementation: Integrate security solutions with sandbox capabilities to analyze email attachments.
Endpoint Sandboxing
  • Use Case: Run all downloaded files and applications in a restricted environment to monitor their behavior for malicious activity.
  • Implementation: Use endpoint protection tools for sandboxing at the endpoint level.

Detection Coverage

1/6 layers
Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).
Behavioral / log (Sigma) 3
Analytics (MITRE CAR) none
Runtime / container (Falco) none
File / malware (YARA) none
Network (Suricata/Snort) none
Vuln scan (Nuclei) none

Comply & Defend

NIST 800-53AC-02, AC-03, AC-04, AC-05, AC-06, CM-02, CM-05, CM-06, IA-02, SC-03, SC-07, SC-18, SI-03
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKAtomic Red Teamcar (MITRE)
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin