MITRE ATT&CK™ Analysis - T1546.015 Component Object Model Hijacking

less than 1 minute read

Component Object Model Hijacking Overview

An adversary is able to hijack COM references and relationships as a means for persistence by modifying specific registry keys.

Rundll32.exe executing an arbitrary executable through a malicious dll replacement.

T1122 - Component Object Hijacking 1

The end result is whenever a thumbnail is viewed, the calculator is executed on this host.

The DLLHost parent executable gives away the impacted CLSID (Com Object) registry key and we can use this to remediate the system.

T1122 - Component Object Hijacking 2

130 minute read

Cheatsheet containing a variety of commands and concepts relating to digital forensics and incident response.

26 minute read

Analysis of ClearFake malware which is planted on compromised WordPress websites to convince unsuspecting visitors to download and run malware.

30 minute read

Analysis of a RAR file which leads to the discovery of malicious Github repositories designed to distribute malware.

18 minute read

Analysis of a LNK which acts as a FormBook download cradle hosted on a compromised WordPress website.