Esc
Component Object Model Hijacking - T1546.015
(ATT&CK® Technique)
Definition
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. COM is a system within Windows to enable interaction between software components through the operating system. References to various COM objects are stored in the Registry.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1546015["Component Object Model Hijacking"] --> |modifies| SystemConfigurationDatabase["System Configuration Database"]; class T1546015 OffensiveTechniqueNode;
class SystemConfigurationDatabase ArtifactNode; click SystemConfigurationDatabase href "/dao/artifact/d3f:SystemConfigurationDatabase";
click T1546015 href "/offensive-technique/attack/T1546.015/"; click SystemConfigurationDatabase href "/dao/artifact/d3f:SystemConfigurationDatabase"; T1546015["Component Object Model Hijacking"] --> |loads| ExecutableBinary["Executable Binary"]; class T1546015 OffensiveTechniqueNode;
class ExecutableBinary ArtifactNode; click ExecutableBinary href "/dao/artifact/d3f:ExecutableBinary";
click T1546015 href "/offensive-technique/attack/T1546.015/"; click ExecutableBinary href "/dao/artifact/d3f:ExecutableBinary"; DecoyFile["Decoy File"] -->
| spoofs | ExecutableBinary["Executable Binary"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1546015["Component Object Model Hijacking"] ;
class DecoyFile DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; EmulatedFileAnalysis["Emulated File Analysis"] -->
| analyzes | ExecutableBinary["Executable Binary"];
EmulatedFileAnalysis["Emulated File Analysis"] -.->
| may-detect | T1546015["Component Object Model Hijacking"] ;
class EmulatedFileAnalysis DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; DynamicAnalysis["Dynamic Analysis"] -->
| analyzes | ExecutableBinary["Executable Binary"];
DynamicAnalysis["Dynamic Analysis"] -.->
| may-detect | T1546015["Component Object Model Hijacking"] ;
class DynamicAnalysis DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | ExecutableBinary["Executable Binary"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1546015["Component Object Model Hijacking"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileEviction["File Eviction"] -->
| deletes | ExecutableBinary["Executable Binary"];
FileEviction["File Eviction"] -.->
| may-evict | T1546015["Component Object Model Hijacking"] ;
class FileEviction DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; RestoreDatabase["Restore Database"] -->
| restores | SystemConfigurationDatabase["System Configuration Database"];
RestoreDatabase["Restore Database"] -.->
| may-restore | T1546015["Component Object Model Hijacking"] ;
class RestoreDatabase DefensiveTechniqueNode;
class SystemConfigurationDatabase ArtifactNode;
click RestoreDatabase href "/technique/d3f:RestoreDatabase"; RestoreFile["Restore File"] -->
| restores | ExecutableBinary["Executable Binary"];
RestoreFile["Restore File"] -.->
| may-restore | T1546015["Component Object Model Hijacking"] ;
class RestoreFile DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; FileAnalysis["File Analysis"] -->
| analyzes | ExecutableBinary["Executable Binary"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1546015["Component Object Model Hijacking"] ;
class FileAnalysis DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; SystemConfigurationPermissions["System Configuration Permissions"] -->
| restricts | SystemConfigurationDatabase["System Configuration Database"];
SystemConfigurationPermissions["System Configuration Permissions"] -.->
| may-harden | T1546015["Component Object Model Hijacking"] ;
class SystemConfigurationPermissions DefensiveTechniqueNode;
class SystemConfigurationDatabase ArtifactNode;
click SystemConfigurationPermissions href "/technique/d3f:SystemConfigurationPermissions"; FileEncryption["File Encryption"] -->
| encrypts | ExecutableBinary["Executable Binary"];
FileEncryption["File Encryption"] -.->
| may-harden | T1546015["Component Object Model Hijacking"] ;
class FileEncryption DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; ExecutableDenylisting["Executable Denylisting"] -->
| blocks | ExecutableBinary["Executable Binary"];
ExecutableDenylisting["Executable Denylisting"] -.->
| may-isolate | T1546015["Component Object Model Hijacking"] ;
class ExecutableDenylisting DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; LocalFilePermissions["Local File Permissions"] -->
| restricts | ExecutableBinary["Executable Binary"];
LocalFilePermissions["Local File Permissions"] -.->
| may-harden | T1546015["Component Object Model Hijacking"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; ExecutableAllowlisting["Executable Allowlisting"] -->
| blocks | ExecutableBinary["Executable Binary"];
ExecutableAllowlisting["Executable Allowlisting"] -.->
| may-isolate | T1546015["Component Object Model Hijacking"] ;
class ExecutableAllowlisting DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting";