The COM Hijacking technique is often utilized by threat actors and various malware families to achieve both persistence and privilege escalation in target systems. It relies on manipulating Component Object Model (COM), exploiting the core architecture of Windows that enables communication between software components, by adding a new value on a specific registry key related to the COM object itself.
We studied the usage of this technique by different malware samples to pinpoint the most exploited COM objects in 2023.
Abused COM Objects
We identified the most abused COM objects by samples using MITRE’s T1546.015 technique during sandbox execution. In addition to the most abused ones, we will also highlight other abused COM objects that we found interesting.
The chart below shows the distribution of how many samples abused different COM objects for persistence:
You can find the most used COM / CLSIDs listed bellow :
| CLSID – COM Objects |
| 79FAA099-1BAE-816E-D711-115290CEE717 |
| EBEB87A6-E151-4054-AB45-A6E094C5334B |
| 241D7F03-9232-4024-8373-149860BE27C0 |
| C07DB6A3-34FC-4084-BE2E-76BB9203B049 |
| 79ECA078-17FF-726B-E811-213280E5C831 |
| 22C6C651-F6EA-46BE-BC83-54E83314C67F |
| F4CBF20B-F634-4095-B64A-2EBCDD9E560E |
| 57477331-126E-4FC8-B430-1C6143484AA9 |
| C73F6F30-97A0-4AD1-A08F-540D4E9BC7B9 |
| 89565275-A714-4a43-912E-978B935EDCCC |
| 26037A0E-7CBD-4FFF-9C63-56F2D0770214 |
| 16426152-126E-4FC8-B430-1C6143484AA9 |
| 33414471-126E-4FC8-B430-1C6143484AA9 |
| 23716116-126E-4FC8-B430-1C6143484AA9 |
| D4D4D7B7-1774-4FE5-ABA8-4CC0B99452B4 |
| 79FEACFF-FFCE-815E-A900-316290B5B738 |
| 74A94F46-4FC5-4426-857B-FCE9D9286279 |
Full Article : https://blog.virustotal.com/2024/03/com-objects-hijacking.html?m=1