Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0628: Analytic 0628

Detects anomalous use of COM objects for execution, such as Office applications spawning scripting engines, enumeration of COM interfaces via registry queries, or processes loading atypical DLLs through COM activation. Correlates process creation, module loads, and registry queries to flag suspicious COM-based code execution or persistence.

EnterpriseAN0628AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

AN0628 is a Windows detection analytic focused on suspicious COM-based execution or persistence patterns. Its business value is that COM abuse can blend into normal Windows and Office activity, so organizations need more than basic process logging to distinguish legitimate automation from activity that may indicate unauthorized code execution or persistence.

Executive priority

Prioritize this analytic where Windows endpoints and Office productivity applications are important to business operations. Leaders should ask whether SOC teams can correlate process creation, DLL/module loads, and registry query activity, because gaps in any one of those evidence sources can reduce confidence during incident triage. This is also relevant for audit and resilience discussions: the organization should be able to show that high-risk Windows execution paths are monitored, not just traditional malware signatures.

Technical view

Validate coverage on Windows for the behaviors named in the ATT&CK analytic description: Office applications spawning scripting engines, registry queries that enumerate COM interfaces, and unusual DLL loads associated with COM activation. Because no official detection logic is supplied, detection engineers should treat AN0628 as a strategy-level analytic and build local baselines for normal Office automation, administrative tooling, and application COM usage before alerting on anomalies.

Likely telemetry

  • Windows process creation events, including parent-child process relationships
  • Module or DLL load telemetry from endpoints or EDR
  • Windows registry query telemetry, especially activity involving COM interface or class registration areas
  • Office application execution context and child process activity
  • Endpoint alert enrichment showing process lineage, command line, image path, user, host, and loaded modules

Detection direction

  • Correlate process creation, module loads, and registry queries rather than relying on a single event type.
  • Tune for Office applications spawning scripting engines, while accounting for legitimate macros, add-ins, automation, and administrative workflows.
  • Baseline common COM activation patterns per business application to reduce false positives from normal enterprise software behavior.
  • Look for unusual or atypical DLL loads through COM activation, especially when paired with suspicious process lineage or registry enumeration.
  • Document blind spots where registry query logging or module-load visibility is unavailable, because those gaps directly affect this analytic.

Mitigation priorities

  • Ensure Windows endpoint telemetry collection includes process creation, module load, and registry query visibility where feasible.
  • Harden Office and scripting usage according to business need, reducing unnecessary automation paths where they are not required.
  • Review application allowlisting, macro governance, and endpoint policy controls that limit untrusted script or child-process execution from Office applications.
  • Use incident response playbooks that preserve process lineage, loaded module evidence, and relevant registry activity for suspected COM-based execution.
  • Maintain an approved baseline of enterprise applications that legitimately use COM so SOC teams can prioritize anomalous behavior.
Analyst notes and limits

This object is a detection analytic, not a technique definition. It provides a useful detection concept for suspicious COM object usage on Windows, but no official detection query, tactic mapping, or relationship context was supplied. Local baselining is important because COM is widely used by legitimate Windows and Office software.

The supplied ATT&CK fields do not include official detection logic, related techniques, mitigations, data components, adversary use, or impact examples. Conclusions are therefore limited to the stated Windows platform and the official description of correlating process creation, module loads, and registry queries for suspicious COM-based execution or persistence.

Official MITRE ATT&CK definition

Analytic 0628

Detects anomalous use of COM objects for execution, such as Office applications spawning scripting engines, enumeration of COM interfaces via registry queries, or processes loading atypical DLLs through COM activation. Correlates process creation, module loads, and registry queries to flag suspicious COM-based code execution or persistence.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
d4a20b18178da690...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle d4a20b18178d…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0628
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use