Skip to content

RP2001: Load malicious Dll load via COM abuse

Summary

ID RP2001
Brief Description Response playbook for detected "DLL load via COM object" activity.
Author Alex@Cyberok
Creation Date 2023/05/18
Modification Date 2023/05/18
Tags
  • Status: Stable
  • Severity:High
  • Windows
Usecases

Description

Successfull "Load a Malicious DLL via COM Abuse" attack may be a huge security hole, because an attacker gains ability to execute any "prepeared" code without direct interaction with malicious file.

Workflow

WORKFLOW

For better triage and response actions result you need to identify and analyze artifacts from use case.

  1. List Windows registry modifications (create,change,rename,delete), pay attention to particular COM object's modifications. Whenever you find the one, it possibly contains reference to the object : malicious dll file.
  2. Collect required file. Analyse malicious dll with tools you have: best of all if you have opportunity to test "static" analysis as well as "behaviour" analysis via sandbox, code inspection tools, etc. If you are lucky, you will find malicious influence on affected system.
  3. Build and analyse "process tree" (different child and parent processes). List processes executed by found dll or by one of it's child processes. Build timeline and filter interested events connected with discovered artifacts.
  4. Take any containment action depending on the situation and level of asset's criticality:
  5. Quarantine suspicious file
  6. Block processes spawned by found executable file
  7. Take any eradication action depending on the situation and level of asset's criticality:
  8. Remove malware file
  9. Remove registry hives related to found artifacts
  10. Take recovery action depending on previous containment and eradication actions:
  11. Unblock previously blocked processes (if needed)
  12. Backup windows registry hives
  13. Report incident, remove security breaches, conduct lessons learned exercises.

Response discovery mapping

ARTIFACT RESPONSE ACTION RESPONSE ACTION OBSERVABLES
Windows Registry List new created registry keys
List newly modified registry keys
Look for suspicious, non-random CLSID's values.
Created COM object
COM object Examine content
Examine found regkeys, look for any link to the registrated files.		 Malware referenced dll file
Execution Binary Collect file
Analyse windows PE
List processes executed
Analyse windows PE file with any tools to find out what "impact" has malware dll. These artifacts will be needed to respond appropriately to next steps. Examine proccess creation in sandbox and try to find out these artifacts in your environment.		 Code execution artifacts

P.S. Artifacts from "Attack Prerequisites" section ( in this case : Host and Operating system executable file ) should be used in Operational Preparations and as incoming arguments for other response actions

Playbook Actions

Preparation

Operational Preparations

Identification

Collect File
Collect file via SOLDR
Analyse Windows Pe
Perform malware analysis via SOLDR
List Processes Executed
List Registry Keys Created
Listing registry keys with Powershell

Containment

Quarantine File By Path
Perform quarantine file via SOLDR
Block Process By Executable Path
Terminate process via SOLDR

Eradication

Remove File
Deleting a file from Windows with Powershell
Deleting a file from Windows via SOLDR
Remove Registry Key
Remove Windows registry key with Powershell

Recovery

Unblock Blocked Process

Lessons Learned

Develop Incident Report
Conduct Lessons Learned Exercise

Artifacts