COM Hijacking
What is COM Hijacking?
COM HijackingA persistence technique that redirects a Windows Component Object Model CLSID lookup to attacker code, executing it whenever a host process instantiates that object.
COM hijacking (MITRE ATT&CK T1546.015) abuses the Windows Component Object Model registration system. Each COM object is identified by a CLSID under HKLM or HKCU; the per-user hive HKCU\Software\Classes\CLSID is searched before HKLM, so a normal user can register a malicious InProcServer32 path for a frequently used CLSID and have their DLL or scriptlet loaded by Explorer, Office, or scheduled tasks. Because the trigger is a legitimate API call (CoCreateInstance), the technique is stealthy and survives reboots. Detection focuses on new HKCU CLSID entries, unsigned DLLs in user-writable paths, and abnormal child processes of explorer.exe; defenses include audit-mode AppLocker/WDAC, Sysmon registry monitoring, and removing user write access to sensitive keys.
● Examples
- 01
Registering a malicious InProcServer32 under HKCU\Software\Classes\CLSID for a CLSID loaded by Explorer at logon.
- 02
Hijacking a scheduled-task COM handler so a routine task loads attacker code.
● Frequently asked questions
What is COM Hijacking?
A persistence technique that redirects a Windows Component Object Model CLSID lookup to attacker code, executing it whenever a host process instantiates that object. It belongs to the Attacks & Threats category of cybersecurity.
What does COM Hijacking mean?
A persistence technique that redirects a Windows Component Object Model CLSID lookup to attacker code, executing it whenever a host process instantiates that object.
How does COM Hijacking work?
COM hijacking (MITRE ATT&CK T1546.015) abuses the Windows Component Object Model registration system. Each COM object is identified by a CLSID under HKLM or HKCU; the per-user hive HKCU\Software\Classes\CLSID is searched before HKLM, so a normal user can register a malicious InProcServer32 path for a frequently used CLSID and have their DLL or scriptlet loaded by Explorer, Office, or scheduled tasks. Because the trigger is a legitimate API call (CoCreateInstance), the technique is stealthy and survives reboots. Detection focuses on new HKCU CLSID entries, unsigned DLLs in user-writable paths, and abnormal child processes of explorer.exe; defenses include audit-mode AppLocker/WDAC, Sysmon registry monitoring, and removing user write access to sensitive keys.
How do you defend against COM Hijacking?
Defences for COM Hijacking typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for COM Hijacking?
Common alternative names include: Component Object Model hijacking, CLSID hijacking.
● Related terms
- attacks№ 331
DLL Hijacking
An attack that abuses Windows DLL search order to make a legitimate program load an attacker-controlled library instead of the intended one.
- attacks№ 054
AppInit_DLLs
Legacy Windows persistence technique that abuses a registry value so a specified DLL is loaded into every user-mode process linking user32.dll.
- attacks№ 515
IFEO Injection
A persistence and privilege-escalation technique that abuses the Windows Image File Execution Options registry key to run attacker code whenever a target executable launches.
- attacks№ 1246
WMI Event Subscription Persistence
Persistence technique that registers a permanent WMI event filter and consumer so attacker code runs whenever a chosen system event occurs.
- attacks№ 914
Registry Run Key Persistence
Classic Windows persistence technique that adds an entry under a Run or RunOnce registry key so a binary or script executes every time a user logs on.
- attacks№ 975
Scheduled Task Persistence
Persistence and execution technique in which an attacker creates or modifies a Windows scheduled task to run their payload on a trigger such as logon, boot, or a timer.