Microsoft Defender Alert Details
Alert ID: MD-IPC-1559-7842
Alert Time: 2024-02-13 11:45:22 EST
Severity: HIGH (82/100)
Source: Microsoft Defender for Endpoint
Rule: “COM Hijacking for Persistence Detected”
MITRE ATT&CK: T1559 – Inter-Process Communication
Alert Details:
Detection: COM object hijacking attempt for persistence
Host: IT-WS-034 (IT Department)
User: mrobinson (Mike Robinson, IT Admin)
Time: 11:40 EST
Registry Modification:
– Key: HKLM\SOFTWARE\Classes\CLSID\{00024512-0000-0000-C000-000000000046}\InprocServer32
– Old Value: C:\Windows\System32\ole32.dll
– New Value: C:\Users\mrobinson\AppData\Local\Temp\comhijack.dll
– Time: 11:40:15 EST
Process Activity:
– Process: powershell.exe (PID: 3241)
– Command: reg add HKLM\SOFTWARE\Classes\CLSID\{00024512-0000-0000-C000-000000000046}\InprocServer32 /ve /d C:\Users\mrobinson\AppData\Local\Temp\comhijack.dll /f
– Parent: explorer.exe (PID: 1123)
File Creation:
– File: C:\Users\mrobinson\AppData\Local\Temp\comhijack.dll
– SHA256: a1b2c3d4e5f67890…
– Creation Time: 11:39:50 EST
DLL Analysis:
– Malicious DLL designed to load when any application uses the COM class
– COM class {00024512-0000-0000-C000-000000000046} is Microsoft Office component
– When Office starts, it loads this DLL, giving attacker persistence
– DLL contains shellcode to call back to C2
Network Connection:
– No immediate connection; persistence mechanism only
– C2 embedded in DLL: 185.143.221[.]89:443
Additional Context:
– User mrobinson is IT admin with local admin rights
– No previous detections on this host
– COM hijacking common persistence technique
SOC Investigation Process
| Step | Action | Tools Used | Findings |
|---|---|---|---|
| 1. Alert Validation | Verify Defender alert | Microsoft 365 Defender | Confirmed COM hijacking attempt |
| 2. Immediate Containment | Isolate host | Defender | Host quarantined |
| 3. Malware Analysis | Analyze comhijack.dll | CrowdStrike Sandbox | DLL with reverse shell capability |
| 4. Registry Restore | Revert COM hijack | PowerShell, Regedit | Registry key restored to original value |
| 5. User Interview | Contact user | Teams, Phone | User unaware; clicked phishing link earlier |
| 6. Threat Hunting | Check for other COM hijacks | Defender, Splunk | No other hosts affected |
Jira Incident Report
Ticket: SOC-2024-070
Summary: T1559 – COM Hijacking Persistence Attempt via Malicious DLL
Status: RESOLVED
Resolution: MALICIOUS – Persistence Blocked
Priority: P2 – MEDIUM
Labels: T1559, inter-process-communication, com-hijacking, persistence, defender
Components: Endpoint-Security, Malware-Response
INCIDENT ANALYSIS REPORT
1. Initial Context:
- Detection Source: Microsoft Defender for Endpoint.
- Alert: “COM Hijacking for Persistence Detected”.
- Host: IT-WS-034 (IT Department, user mrobinson).
- Time: 2024-02-13 11:45 EST.
- Technique: MITRE ATT&CK T1559 – Inter-Process Communication.
2. Technical Analysis:
- Attack Chain:
11:30 – User clicked phishing link (fake IT support page)
11:31 – Downloaded and executed malicious PowerShell script
11:39 – PowerShell created comhijack.dll in temp folder
11:40 – Registry modified for COM hijacking
11:45 – Defender detected and alerted
- COM Hijacking Details:
- CLSID: {00024512-0000-0000-C000-000000000046} (Microsoft Office component)
- Original DLL: C:\Windows\System32\ole32.dll
- Malicious DLL: C:\Users\mrobinson\AppData\Local\Temp\comhijack.dll
- Trigger: Any Office application start (Word, Excel, etc.)
- Persistence: Survives reboots; runs as user
- Malicious DLL Analysis:
- SHA256: a1b2c3d4e5f67890…
- Function: When loaded, it:
- Checks if already running (mutex)
- Establishes reverse shell to 185.143.221[.]89:443
- Downloads additional payload
- Injects into legitimate process
- User Activity:
- User clicked link in email claiming “IT Security Alert”
- Downloaded “security_update.ps1” and ran it
- Believed it was legitimate IT communication
3. Investigation Findings:
- Timeline:
11:30 – User clicks phishing link
11:31 – Downloads and runs security_update.ps1
11:39 – comhijack.dll created
11:40 – Registry modified
11:45 – Defender alert triggers
11:46 – Host isolated
- Indicators of Compromise (IoCs):
Files:
– security_update.ps1 (SHA256: b2c3d4e5f6…)
– comhijack.dll (SHA256: a1b2c3d4e5f6…)
Registry:
– HKLM\SOFTWARE\Classes\CLSID\{00024512-0000-0000-C000-000000000046}\InprocServer32
Network:
– C2: 185.143.221[.]89:443
4. Containment Actions:
- Immediate Actions:
- Isolated host via Defender.
- Restored registry key to original value.
- Deleted comhijack.dll and security_update.ps1.
- Blocked C2 IP at firewall.
- User Remediation:
- User password reset.
- Phishing awareness training assigned.
- Host Remediation:
- Full scan completed (no other malware).
- No reimage needed (persistence removed).
5. Root Cause Analysis:
- Primary Cause: User downloaded and executed malicious script from phishing email.
- Contributing Factors:
- User had local admin rights (allowed registry modification).
- No ASR rule blocking Office child processes.
- Phishing email bypassed filters.
6. Business Impact:
- Operational Impact: IT workstation offline for 2 hours.
- Data Exposure: None (C2 blocked before connection).
7. Remediation & Prevention:
Completed Actions:
Persistence removed.
Host cleaned.
User educated.
C2 blocked.
Technical Controls Enhanced:
Removed local admin rights from standard users.
Enabled ASR rule “Block persistence via WMI and COM”.
Enhanced PowerShell logging.
Deployed phishing simulation for IT department.
8. Conclusion:
Attackers used a phishing email to trick an IT admin into running a malicious script that established COM hijacking persistence. Defender detected the registry modification and isolated the host before any C2 communication occurred.
Closure Rationale: Persistence removed; host cleaned; user educated.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-13 13:00 EST