{ "id": "c2741bd7-0514-4dc1-bb92-401d9748f2ac", "created_at": "2026-04-06T00:21:13.588021Z", "updated_at": "2026-04-10T13:12:07.51595Z", "deleted_at": null, "sha1_hash": "fe87619cbfd9c64ad6c14c4423db01df523e4ab8", "title": "How to hunt: Detecting persistence and evasion with the COM", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 212677, "plain_text": "How to hunt: Detecting persistence and evasion with the COM\r\nBy ByBlake StromPaul Ewing\r\nPublished: 2016-09-14 · Archived: 2026-04-05 13:09:29 UTC\r\nEditor’s Note: Elastic joined forces with Endgame in October 2019, and has migrated some of the Endgame blog\r\ncontent to elastic.co. See Elastic Security to learn more about our integrated security solutions.\r\nAfter adversaries breach a system, they usually consider how they will maintain uninterrupted access through\r\nevents such as system restarts. This uninterrupted access can be achieved through persistence methods.\r\nAdversaries are constantly rotating and innovating persistence techniques, enabling them to evade detection and\r\nmaintain access for extended periods of time. A prime example is the recent DNC hack, where it was reported that\r\nthe attackers leveraged very obscure persistence techniques for some time while they evaded detection and\r\nexfiltrated sensitive data.\r\nThe number of ways to persist code on a Windows system can be counted in the hundreds and the list is growing.\r\nThe discovery of novel approaches to persist is not uncommon. Further, the mere presence of code in a persistence\r\nlocation is by no means an indicator of malicious behavior as there are an abundance of items, usually over a\r\nthousand, set to autostart under various conditions on a standard Windows system. This can make it particularly\r\nchallenging for defenders to distinguish between legitimate and malicious activity.\r\nWith so many opportunities for adversaries to blend in, how should organizations approach detection of adversary\r\npersistence techniques? To address this question, Endgame is working with The MITRE Corporation, a not-for-profit R\u0026D organization, to demonstrate how the hunting paradigm fits within the MITRE ATT\u0026CK™\r\nframework. The ATT\u0026CK™ framework—which stands for Adversarial Tactics, Techniques \u0026 Common\r\nKnowledge—is a model for describing the actions an adversary can take while operating within an enterprise\r\nnetwork, categorizing actions into tactics, such as persistence, and techniques to achieve those tactics. Endgame\r\nhas collaborated with MITRE to help extend the ATT\u0026CK™ framework by adding a new technique – COM\r\nObject Hijacking – to the persistence tactic, sparking some great conversations and insights that we’ve pulled\r\ntogether into this post. Thanks to MITRE for working with Endgame and others in the community to help update\r\nthe model, and a special thanks to Blake Strom for co-authoring this piece. Now let the hunt for persistence begin!\r\nHunting for Attacker Techniques\r\nHunting is not just the latest buzzword in security. It is a very effective process for detection as well as a state of\r\nmind. Defenders must assume breach and hunt within the environment continually as though an active intrusion is\r\nunderway. Indicators of compromise (IOC) are not enough when adversaries can change tool indicators often.\r\nDefenders must hunt for never-before-seen artifacts by looking for commonly used adversary techniques and\r\npatterns. Given constantly changing infrastructure and the increasingly customized nature of attacks, hunting for\r\nattacker techniques greatly increases the likelihood of catching today’s sophisticated adversaries.\r\nhttps://www.elastic.co/blog/how-hunt-detecting-persistence-evasion-com\r\nPage 1 of 6\n\nPersistence is one such tactic for which we can effectively hunt. Defenders understand that adversaries will try to\r\npersist and generally know the most common ways this can be done. Hunting in persistence locations for\r\nanomalies and outliers is a great way to find the adversary, but it isn’t always easy. Many techniques adversaries\r\nuse resemble ways software legitimately behaves on a system. Adversary persistence behavior in a Windows\r\nenvironment could show up as installing seemingly benign software to run upon system boot, when a user logs\r\ninto a system, or even more clever techniques such as utilizing Windows Management Instrumentation (WMI).\r\nSmart adversaries know what is most common and will try to find poorly understood and obscure ways to persist\r\nduring an intrusion in order to evade detection.\r\nMITRE has provided the community with a cheat sheet of persistence mechanisms through ATT\u0026CK™, which\r\ndescribes the universe of adversary techniques to help inform comprehensive coverage during hunt operations. It\r\nincludes a wide variety of techniques ranging from simply using legitimate credentials to more advanced\r\ntechniques like component firmware modification approaches. The goal of an advanced adversary is not just to\r\npersist - it is to persist without detection by evading common defensive mechanisms as well. These\r\ncommon evasion techniques are also covered by ATT\u0026CK™. MITRE documented these techniques using in-depth knowledge about how adversaries can and do operate, like with COM hijacking for persistence.\r\nTo demonstrate the value of hunting for specific techniques, we focus on Component Object Model (COM)\r\nHijacking, which can be used for persistence as well as defense evasion.\r\nSo What’s Up with the COM?\r\nMicrosoft’s Component Object Model (COM) has been around forever – well not exactly – but at least since 1993\r\nwith MS Windows 3.1. COM basically allows for the linking of software components. This is a great way for\r\nengineers to make components of their software accessible to other applications. The classic use case for COM is\r\nhow Microsoft Office products link together. To learn more, Microsoft’s official documentation provides a great,\r\ncomprehensive overview of COM.\r\nLike many other capabilities attackers use, COM is not inherently malicious. However, there are ways it can be\r\nused by the adversary which are malicious. As we discussed earlier, most adversaries want to persist. Therefore,\r\nhunters should regularly look for signs of persistence, such as anomalous files which are set to execute\r\nautomatically. Adversaries can cleverly manipulate the COM to execute their code, specifically by manipulating\r\nsoftware classes in the current user registry hive, and enabling persistence.\r\nBut before we dive into the registry, let’s have a quick history lesson. Messing with the COM is not an unknown\r\ntechnique by any means. Even as early as 2005, adversaries were utilizing Internet Explorer to access the\r\nmachine’s COM to cause crashes and other issues. Check out CVE-2005-1990 or some of CERT’s vulnerability\r\nnotes discussing exactly this problem.\r\nCOM object hijacking first became mainstream in 2011 at the Virus Bulletin conference, when Jon Larimer\r\npresented “The Dangers of Per-User COM Objects.” Hijacking is a fairly common term in the infosec community,\r\nand describes the action of maliciously taking over an otherwise legitimate function at the target host: session\r\nhijacking, browser hijacking, and search-order hijacking to name a few. It didn’t take long for adversaries to start\r\nleveraging the research presented at Virus Bulletin 2011. For example, in 2012, the ZeroAcess rootkit started\r\nhttps://www.elastic.co/blog/how-hunt-detecting-persistence-evasion-com\r\nPage 2 of 6\n\nhijacking the COM, while in 2014 GDATA reported a new Remote Administration Tool (RAT) dubbed COMpfun\r\nwhich persists via a COM hijack. The following year, GDATA again presented the use of COM hijacking, with\r\nCOMRAT seen persisting via a COM hijack. The Roaming Tiger Advanced Persistent Threat (APT) group\r\nreportedly also used COM hijacking with the BBSRAT malware. These are just a few examples to demonstrate\r\nthat COM hijacking is a real concern which hunters need to consider and handle while looking for active\r\nintrusions in the network.\r\nThe Challenges and Opportunities to Detect COM Hijacking\r\nToday, COM hijacking remains relevant, but is often forgotten. We see it employed by persistent threats as well as\r\nincluded in crimeware. Fortunately, we have one advantage - the hijack is fairly straightforward to detect. To\r\nperform the hijack, the adversary relies on the operating system to load current user objects prior to the local\r\nmachine objects in the COM. This is the fundamental principle to the hijack and also the method to detect.\r\nEasy, right? Well, there are some gotchas to watch out for.  Most existing tools detect COM hijacking through\r\nsignatures. A COM object is identified in the system by a globally unique identifier called a CLSID.  A signature-based approach will only look at and alert on specific CLSIDs which reference an object that has been previously\r\nreported as hijacked. This is nowhere near enough because, in theory, any COM object and any CLSID could be\r\nhijacked.\r\nSecond, for us hunters, the presence of a user COM object in general can be considered anomalous, but some\r\nthird-party applications will generate such objects causing false positives in your hunt. To accurately find COM\r\nhijacks, a more in-depth inspection within the entire current user and local machine registry hive is necessary. In\r\nour single default Windows 7 VM, we had 4697 CLSIDs within the local machine hive. To perform the inspection,\r\nyou will need to dust off your scripting skills and perform a comparative analysis within the registry. This could\r\nbecome difficult and may not scale if you are querying thousands of enterprise systems, which is why we baked\r\nthis inspection into the Endgame platform.\r\nhttps://www.elastic.co/blog/how-hunt-detecting-persistence-evasion-com\r\nPage 3 of 6\n\nSo many objects to hijack...\r\nAt Endgame, we inspect the registry to hunt exactly for these artifacts across all objects within the registry and\r\nthis investigation scales across an entire environment. This is critical because hunters need to perform their\r\noperations in a timely and efficient manner. Please reference the following video to see a simple COM hijack and\r\nautomatic detection with the Endgame platform. Endgame enumerates all known persistence locations across a\r\nnetwork, enriches the data, and performs a variety of analytics to highlight potentially malicious artifacts in\r\nseconds.  COM hijacking detection is one capability of many in the Endgame platform.\r\nhttps://www.elastic.co/blog/how-hunt-detecting-persistence-evasion-com\r\nPage 4 of 6\n\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nHunting for COM Hijacking using Endgame\r\nConclusion\r\nPersistence is a tactic used by a wide range of adversaries.  It is part of almost every compromise. The choice of\r\npersistence technique used by an adversary can be the most interesting and sophisticated aspect of an attack. This\r\nmakes persistence, coupled with the usual defense evasion techniques, prime focus areas for hunting and\r\nsubsequent discovery and remediation. Furthermore, we can’t always rely on indicators of compromise alone.\r\nInstead, defenders must seek out anomalies within the environment, either at the host or in the network, which can\r\nreveal the breadcrumbs to follow and find the breach.\r\nWithout a framework and intelligent automation, the hunt can be time-consuming, resource-intensive, and\r\nunfocused. MITRE’s ATT\u0026CK™ framework provides an abundance of techniques that can guide the hunt in a\r\nstructured way. With this as a starting point, we have explored one persistence technique in depth: COM hijacking.\r\nCOM hijacks can be detected without signatures through intelligent automation and false positive mitigation,\r\ngetting beyond many challenges present if an analyst would need to find COM hijacks manually. This is just one\r\nway in which a technique-focused hunt mindset can allow defenders to detect, prevent, and remediate those\r\nadversaries that continue to evade even the most advanced defenses.\r\nhttps://www.elastic.co/blog/how-hunt-detecting-persistence-evasion-com\r\nPage 5 of 6\n\nSource: https://www.elastic.co/blog/how-hunt-detecting-persistence-evasion-com\r\nhttps://www.elastic.co/blog/how-hunt-detecting-persistence-evasion-com\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://www.elastic.co/blog/how-hunt-detecting-persistence-evasion-com" ], "report_names": [ "how-hunt-detecting-persistence-evasion-com" ], "threat_actors": [ { "id": "866c0c21-8de3-4ad5-9887-cecd44feb788", "created_at": "2022-10-25T16:07:24.130298Z", "updated_at": "2026-04-10T02:00:04.875929Z", "deleted_at": null, "main_name": "Roaming Tiger", "aliases": [ "Bronze Woodland", "CTG-7273", "Rotten Tomato" ], "source_name": "ETDA:Roaming Tiger", "tools": [ "Agent.dhwf", "AngryRebel", "BBSRAT", "Destroy RAT", "DestroyRAT", "Farfli", "Gh0st RAT", "Ghost RAT", "Kaba", "Korplug", "Moudour", "Mydoor", "PCRat", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav" ], "source_id": "ETDA", "reports": null }, { "id": "5afe7b81-e99a-4c24-8fcc-250fb0cf40a3", "created_at": "2023-01-06T13:46:38.324616Z", "updated_at": "2026-04-10T02:00:02.928697Z", "deleted_at": null, "main_name": "Roaming Tiger", "aliases": [ "BRONZE WOODLAND", "Rotten Tomato" ], "source_name": "MISPGALAXY:Roaming Tiger", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ee9a20b1-c6d6-42da-909d-66e7699723d1", "created_at": "2025-08-07T02:03:24.704306Z", "updated_at": "2026-04-10T02:00:03.722506Z", "deleted_at": null, "main_name": "BRONZE WOODLAND", "aliases": [ "CTG-7273 ", "Roaming Tiger ", "Rotten Tomato " ], "source_name": "Secureworks:BRONZE WOODLAND", "tools": [ "Appat", "BbsRAT", "PlugX", "Zbot" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434873, "ts_updated_at": 1775826727, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fe87619cbfd9c64ad6c14c4423db01df523e4ab8.pdf", "text": "https://archive.orkl.eu/fe87619cbfd9c64ad6c14c4423db01df523e4ab8.txt", "img": "https://archive.orkl.eu/fe87619cbfd9c64ad6c14c4423db01df523e4ab8.jpg" } }