{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/oracle-america-inc./","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","OneDrive.exe","OneDriveSetup.exe","FileSyncConfig.exe","Teams.exe","MicrosoftEdgeUpdate.exe","msrdcw.exe","MicrosoftEdgeUpdateComRegisterShell64.exe","setup.exe","PowerToys.PowerLauncher.exe"],"_cs_severities":["low"],"_cs_tags":["persistence","com-hijacking","windows","registry","defense-evasion","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["Elastic","Island Technology Inc.","Google LLC","Grammarly, Inc.","Dropbox, Inc.","REFINITIV US LLC","HP Inc.","Adobe Inc.","Citrix Systems, Inc.","Veeam Software Group GmbH","Zhuhai Kingsoft Office Software Co., Ltd.","Oracle America, Inc.","Brave Software, Inc.","DeepL SE","Opera Norway AS","Slack Technologies, LLC","Spotify AB","Vivaldi Technologies AS","Microsoft"],"content_html":"\u003cp\u003eComponent Object Model (COM) hijacking is a persistence and privilege escalation technique used by adversaries to execute malicious code by hijacking references to COM objects. This involves modifying specific registry keys to redirect COM object instantiation to attacker-controlled DLLs or executables. The technique is difficult to detect due to the legitimate use of COM objects by various applications and the operating system itself. This brief focuses on identifying suspicious registry modifications indicative of COM hijacking, while excluding known legitimate processes to minimize false positives. The original Elastic detection rule was published in November 2020 and last updated in May 2026, showcasing its continued relevance. This activity matters to defenders because successful COM hijacking allows attackers to execute arbitrary code with the privileges of the user or service that instantiates the hijacked COM object.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target COM object to hijack by enumerating COM object entries in the registry.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003eInprocServer32\u003c/code\u003e or \u003ccode\u003eLocalServer32\u003c/code\u003e registry keys associated with the target COM object to point to a malicious DLL or executable.\u003c/li\u003e\n\u003cli\u003eThe attacker may also modify the \u003ccode\u003eDelegateExecute\u003c/code\u003e registry key to control how the COM object is executed.\u003c/li\u003e\n\u003cli\u003eA legitimate application or service attempts to instantiate the original COM object.\u003c/li\u003e\n\u003cli\u003eDue to the registry modifications, the malicious DLL or executable is loaded and executed instead.\u003c/li\u003e\n\u003cli\u003eThe malicious code performs its intended actions, such as establishing persistence, escalating privileges, or executing arbitrary commands.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistent access to the system and potentially gains elevated privileges through the hijacked COM object.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful COM hijacking enables attackers to establish persistent access to compromised systems and potentially escalate privileges. The impact can range from executing arbitrary code with user privileges to gaining system-level access, depending on the context in which the hijacked COM object is used. The Elastic detection rule aims to identify and prevent such attacks by detecting suspicious registry modifications, but the overall number of affected systems or specific sectors targeted by this technique are not specified in the original source.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Windows Registry auditing to capture registry modification events and activate the Sigma rule \u003ccode\u003eSuspicious COM Hijack Registry Modification\u003c/code\u003e to detect potential COM hijacking attempts.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on processes modifying COM-related registry keys and their associated executables.\u003c/li\u003e\n\u003cli\u003eImplement code signing validation and monitor for unsigned or unexpected DLLs being loaded by legitimate processes, as indicated in the rule\u0026rsquo;s description.\u003c/li\u003e\n\u003cli\u003eRegularly review and update the list of excluded processes and trusted code signers in the Sigma rule to minimize false positives.\u003c/li\u003e\n\u003cli\u003eDeploy the EQL rule provided by Elastic, adjusting the \u003ccode\u003efrom\u003c/code\u003e and \u003ccode\u003eindex\u003c/code\u003e fields to match your environment, and tune the process and signature exclusions for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor for registry changes in \u003ccode\u003eHKEY_USERS\u003c/code\u003e hive related to COM objects, as these are considered less common and potentially malicious.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-com-hijacking/","summary":"Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects through Component Object Model (COM) hijacking via registry modification on Windows systems.","title":"Component Object Model (COM) Hijacking via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-com-hijacking/"}],"language":"en","title":"CraftedSignal Threat Feed — Oracle America, Inc.","version":"https://jsonfeed.org/version/1.1"}