The article explains how Component Object Model (COM) works in Windows and why threat actors abuse it for execution, persistence, WMI access, BITS transfers, and other malicious actions that can be hidden behind indirect vtable calls. It also shows how analysts can reverse engineer COM-heavy malware such as Qakbot, Attor, WarmCookie, and Gh0stRAT by mapping CLSIDs, IIDs, ProgIDs, and vtable offsets back to readable interfaces and methods. #COM #Qakbot #Attor #WarmCookie #Gh0stRAT #WScriptShell #TaskScheduler #BITS #WMI
Keypoints
- COM is a core Windows technology for object activation, automation, inter-process communication, and language-independent component reuse.
- Threat actors and malware frequently abuse COM for persistence, execution, lateral movement, download, exfiltration, evasion, and system discovery.
- The article focuses on reversing COM-heavy binaries by converting opaque GUIDs and indirect vtable calls into known classes, interfaces, and methods.
- Common COM artifacts include CLSIDs, IIDs, ProgIDs, registry entries, and interface vtables that analysts can map during triage.
- Tools such as OleView.NET, ComView, IDA COM Helper, COMIDA, COM Code Helper, COMpanion, DispatchLogger, and DynamoRIO can speed analysis.
- Example malware cases show COM use for Task Scheduler persistence, WMI access, BITS-based communication, and hidden task creation.
- Static and dynamic hunting can pivot on GUIDs, activation APIs, import patterns, and context to identify suspicious COM usage in binaries.
MITRE Techniques
- [T1021.003 ] Distributed Component Object Model â Used for remote COM activation and communication across systems through DCOM (âRemote Services: Distributed Component Object Model, T1021.003â).
- [T1053.005 ] Scheduled Task â Malware such as Gh0stRAT/SimpleRemoter and WarmCookie uses Task Scheduler COM interfaces to create persistence tasks (âscheduled task creation logicâ / âcreates a work item, configures flags and creates a triggerâ).
- [T1047 ] Windows Management Instrumentation â Qakbot and Attor use WMI-related COM objects such as IWbemLocator and IWbemClassObject for remote/system interaction and enumeration (âreferences IID_IWbemLocatorâ / âuse of IWbemClassObject to enumerate installed endpoint security softwareâ).
- [T1105 ] Ingress Tool Transfer â Attor uses BITS via IBackgroundCopyJob to download or move files through background transfer functionality (âadd files to a job⌠start or stop transfersâ / âpayload download, staging, or exfiltrationâ).
- [T1021 ] Remote Services â The article discusses COM/DCOM as remote services and remote activation paths used by malware (âreach a remote DCOM serverâ / âremote activationâ).
- [T1218 ] System Binary Proxy Execution â Malware leverages built-in Windows COM functionality to execute or stage actions through trusted components rather than direct binaries (âautomation of built-in Windows and Office functionalityâ / âuse COM to create⌠execute a commandâ).
- [T1505 ] Server Software Component â The article explains COM servers, class factories, and self-registration mechanisms that malware can abuse to host or implement behavior (âCOM serverâ, âDllGetClassObjectâ, âDllRegisterServerâ).
Indicators of Compromise
- [CLSID ] Task Scheduler 2.0 and older Task Scheduler COM classes â {0F87369F-A4E5-4CFC-BD3E-73E6154572DD}, CLSID_CTaskScheduler
- [IID ] Task Scheduler and WMI interfaces â {2FABA4C7-4DA9-4013-9697-20CC3FD40F85}, IID_IWbemLocator
- [ProgID ] Common COM automation objects seen in binaries â WScript.Shell, Shell.Application, MSXML2.XMLHTTP, WinHttp.WinHttpRequest.5.1
- [File / DLL names ] COM-related tooling and Windows components referenced in analysis â ole32.dll, combase.dll, DispatchLogger.dll
- [File / config path ] IDA Pro COM helper reference file â cfgclsid.cfg
- [Byte patterns ] Little-endian GUID representations useful for YARA hunting â 9F 36 87 0F E5 A4 FC 4C BD 3E 73 E6 15 45 72 DD, C7 A4 AB 2F A9 4D 13 40 96 97 20 CC 3F D4 0F 85
Read more: https://blog.talosintelligence.com/introduction-to-com-usage-by-windows-threats/