Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1546.015: Component Object Model Hijacking

Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. COM is a system within Windows to enable interaction between software components through the operating system.[1] References to various COM objects are stored in the Registry.

Adversaries may use the COM system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Registry to replace a reference to a legitimate system component which may cause that component to not work when executed. When that system component is executed through normal system operation the adversary's code will be executed instead.[2] An adversary is likely to hijack objects that are used frequently enough to maintain a consistent level of persistence, but are unlikely to break noticeable functionality within the system as to avoid system instability that could lead to detection.

One variation of COM hijacking involves abusing Type Libraries (TypeLibs), which provide metadata about COM objects, such as their interfaces and methods. Adversaries may modify Registry keys associated with TypeLibs to redirect legitimate COM object functionality to malicious scripts or payloads. Unlike traditional COM hijacking, which commonly uses local DLLs, this variation may leverage the "script:" moniker to execute remote scripts hosted on external servers.[3] This approach enables stealthy execution of code while maintaining persistence, as the remote payload would be automatically downloaded whenever the hijacked COM object is accessed.

EnterpriseT1546.015Sub-techniqueObject v1.3 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

COM hijacking matters because it turns normal Windows component loading into a persistence or privilege-escalation opportunity. A small Registry change can cause trusted Windows or application activity to load adversary-controlled code instead of the expected COM component, potentially making the activity blend into routine endpoint behavior.

Executive priority

Prioritize this as a Windows endpoint resilience and incident-readiness issue. Leaders should ask whether the organization can prove who changed COM-related Registry keys, whether suspicious DLL loads can be correlated back to those changes, and whether SOC playbooks treat COM hijacking as a persistence mechanism during containment and eradication. The ATT&CK relationships to APT28 and multiple malware/RAT families make this a useful control-validation scenario, but they do not by themselves indicate current exposure or active targeting.

Technical view

For SOC and IR teams, validate visibility on Windows Registry locations used for COM object and TypeLib references, then correlate changes with subsequent process execution and DLL loads. The related detection strategy, DET0481, specifically points to Registry and DLL load correlation. Pay attention to TypeLib abuse and use of the "script:" moniker described in the ATT&CK text, where a hijacked COM reference may retrieve a remote script when the object is accessed. Because legitimate software also uses COM extensively, detection should focus on unusual changes, unexpected paths, suspicious script references, and execution chains that differ from known-good baselines.

Likely telemetry

  • Windows Registry modification events for COM object and TypeLib references
  • Process creation events around applications that instantiate COM objects
  • DLL load telemetry tied to processes using COM components
  • File creation or modification events for newly referenced DLLs or payloads
  • Network telemetry for remote script retrieval when TypeLib or script moniker behavior is suspected

Detection direction

  • Baseline common COM and TypeLib Registry references on managed Windows systems and alert on unexpected changes.
  • Correlate Registry changes with later DLL loads or script execution from the affected host, as suggested by DET0481.
  • Tune detections to reduce noise from legitimate software installation, update, and repair activity that modifies COM registrations.
  • Investigate COM references pointing to unusual user-writable paths, unexpected DLLs, or remote script-style references where visible.
  • During IR, check COM hijacking when persistence remains after obvious startup folders, services, and scheduled tasks have been cleared.

Mitigation priorities

  • Limit unnecessary ability to modify sensitive Windows Registry locations through least privilege and administrative change control.
  • Maintain endpoint baselines for COM-related Registry keys so unauthorized drift can be identified.
  • Use controlled software deployment and update processes to distinguish expected COM registration changes from suspicious ones.
  • Ensure EDR or endpoint logging captures Registry, process, module-load, and relevant network evidence needed to reconstruct the behavior.
  • Include COM hijacking checks in persistence-hunting and post-containment validation procedures.
Analyst notes and limits

This is a Windows sub-technique under Event Triggered Execution for persistence and privilege escalation. ATT&CK provides no official detection text for this object, but the supplied relationship to DET0481 gives a clear validation path: correlate COM-related Registry changes with DLL loading behavior. Related software includes JHUHUGIT, ADVSTORESHELL, ComRAT, BBSRAT, Mosquito, KONNI, WarzoneRAT, Ferocious, SILENTTRINITY, PcShare, and SVCReady.

The supplied ATT&CK fields do not provide official mitigations, specific Registry paths, guaranteed indicators, or organization-specific false-positive patterns. Local Windows build, installed software, administrative practices, and endpoint telemetry quality determine whether this can be detected reliably.

Official MITRE ATT&CK definition

Component Object Model Hijacking

Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. COM is a system within Windows to enable interaction between software components through the operating system.[1] References to various COM objects are stored in the Registry.

Adversaries may use the COM system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Registry to replace a reference to a legitimate system component which may cause that component to not work when executed. When that system component is executed through normal system operation the adversary's code will be executed instead.[2] An adversary is likely to hijack objects that are used frequently enough to maintain a consistent level of persistence, but are unlikely to break noticeable functionality within the system as to avoid system instability that could lead to detection.

One variation of COM hijacking involves abusing Type Libraries (TypeLibs), which provide metadata about COM objects, such as their interfaces and methods. Adversaries may modify Registry keys associated with TypeLibs to redirect legitimate COM object functionality to malicious scripts or payloads. Unlike traditional COM hijacking, which commonly uses local DLLs, this variation may leverage the "script:" moniker to execute remote scripts hosted on external servers.[3] This approach enables stealthy execution of code while maintaining persistence, as the remote payload would be automatically downloaded whenever the hijacked COM object is accessed.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

2 rows
Domain ID Name Relationship / procedure
Enterprise T1546 Event Triggered Execution This object subtechnique of Event Triggered Execution.
Enterprise T1122 Component Object Model Hijacking Component Object Model Hijacking revoked by this object.
Associated objects

Groups, software, and campaigns

Group Enterprise

G0007: APT28

APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.[1][2] This group has been active since at least 2004.[3][4][5][6][7][8][9][10][11][12][13]

APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.[5] In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.[14] Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.

Malware Enterprise

S0045: ADVSTORESHELL

ADVSTORESHELL is a spying backdoor that has been used by APT28 from at least 2012 to 2016. It is generally used for long-term espionage and is deployed on targets deemed interesting after a reconnaissance phase. [1] [2]

Windows
Malware Enterprise

S0356: KONNI

KONNI is a remote access tool that security researchers assess has been used by North Korean cyber actors since at least 2014. KONNI has significant code overlap with the NOKKI malware family, and has been linked to several suspected North Korean campaigns targeting political organizations in Russia, East Asia, Europe and the Middle East; there is some evidence potentially linking KONNI to APT37.[1][2][3][4][5]

Windows
Tool Enterprise

S1050: PcShare

PcShare is an open source remote access tool that has been modified and used by Chinese threat actors, most notably during the FunnyDream campaign since late 2018.[1][2]

Windows
Malware Enterprise

S0670: WarzoneRAT

WarzoneRAT is a malware-as-a-service remote access tool (RAT) written in C++ that has been publicly available for purchase since at least late 2018.[1][2]

Windows
Malware Enterprise

S0126: ComRAT

ComRAT is a second stage implant suspected of being a descendant of Agent.btz and used by Turla. The first version of ComRAT was identified in 2007, but the tool has undergone substantial development for many years since.[1][2][3]

Windows
Malware Enterprise

S1064: SVCReady

SVCReady is a loader that has been used since at least April 2022 in malicious spam campaigns. Security researchers have noted overlaps between TA551 activity and SVCReady distribution, including similarities in file names, lure images, and identical grammatical errors.[1]

Windows
Malware Enterprise

S0256: Mosquito

Mosquito is a Win32 backdoor that has been used by Turla. Mosquito is made up of three parts: the installer, the launcher, and the backdoor. The main backdoor is called CommanderDLL and is launched by the loader program. [1]

Windows
Malware Enterprise

S0127: BBSRAT

BBSRAT is malware with remote access tool functionality that has been used in targeted compromises. [1]

Windows
Tool Enterprise

S0692: SILENTTRINITY

SILENTTRINITY is an open source remote administration and post-exploitation framework primarily written in Python that includes stagers written in Powershell, C, and Boo. SILENTTRINITY was used in a 2019 campaign against Croatian government agencies by unidentified cyber actors.[1][2]

Windows
Relationship explorer

All related ATT&CK context

uses · Malware S0045: ADVSTORESHELL Enterprise uses · Malware S0356: KONNI Enterprise uses · Group G0007: APT28 Enterprise uses · Tool S1050: PcShare Enterprise uses · Malware S0670: WarzoneRAT Enterprise uses · Malware S0126: ComRAT Enterprise subtechnique of · Technique T1546: Event Triggered Execution Enterprise uses · Malware S1064: SVCReady Enterprise revoked by · Technique T1122: Component Object Model Hijacking Enterprise uses · Malware S0256: Mosquito Enterprise uses · Malware S0679: Ferocious Enterprise uses · Malware S0127: BBSRAT Enterprise uses · Tool S0692: SILENTTRINITY Enterprise uses · Malware S0044: JHUHUGIT Enterprise detects · Detection Strategy DET0481: Windows COM Hijacking Detection via Registry and DLL Load Correlation Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.3
Created
Modified
Raw hash
b50e88b1a0b41045...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.3 Current bundle b50e88b1a0b4…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Microsoft Component Object Model

    Microsoft. (n.d.). The Component Object Model. Retrieved August 18, 2016.

    Open source URL
  2. [2]
    GDATA COM Hijacking

    G DATA. (2014, October). COM Object hijacking: the discreet way of persistence. Retrieved August 13, 2016.

    Open source URL
  3. [3]
    RELIAQUEST

    RELIAQUEST THREAT RESEARCH TEAM. (2025, April 11). Threat Spotlight: Hijacked and Hidden: New Backdoor and Persistence Technique. Retrieved June 27, 2025.

    Open source URL
  4. [4]
    Elastic COM Hijacking

    Ewing, P. Strom, B. (2016, September 15). How to Hunt: Detecting Persistence & Evasion with the COM. Retrieved September 15, 2016.

    Open source URL
  5. [5]
    mitre-attack T1546.015
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use