Microsoft Defender Alert Details
Alert ID: MD-IPC-1559-7842
Alert Time: 2024-02-13 11:45:22 EST
Severity: HIGH (82/100)
Source: Microsoft Defender for Endpoint
Rule: “COM Hijacking for Persistence Detected”
MITRE ATT&CK: T1559 – Inter-Process Communication
Alert Details:
Detection: COM object hijacking attempt for persistence
Host: IT-WS-034 (IT Department)
User: mrobinson (Mike Robinson, IT Admin)
Time: 11:40 EST
Registry Modification:
– Key: HKLM\SOFTWARE\Classes\CLSID\{00024512-0000-0000-C000-000000000046}\InprocServer32
– Old Value: C:\Windows\System32\ole32.dll
– New Value: C:\Users\mrobinson\AppData\Local\Temp\comhijack.dll
– Time: 11:40:15 EST
Process Activity:
– Process: powershell.exe (PID: 3241)
– Command: reg add HKLM\SOFTWARE\Classes\CLSID\{00024512-0000-0000-C000-000000000046}\InprocServer32 /ve /d C:\Users\mrobinson\AppData\Local\Temp\comhijack.dll /f
– Parent: explorer.exe (PID: 1123)
File Creation:
– File: C:\Users\mrobinson\AppData\Local\Temp\comhijack.dll
– SHA256: a1b2c3d4e5f67890…
– Creation Time: 11:39:50 EST
DLL Analysis:
– Malicious DLL designed to load when any application uses the COM class
– COM class {00024512-0000-0000-C000-000000000046} is Microsoft Office component
– When Office starts, it loads this DLL, giving attacker persistence
– DLL contains shellcode to call back to C2
Network Connection:
– No immediate connection; persistence mechanism only
– C2 embedded in DLL: 185.143.221[.]89:443
Additional Context:
– User mrobinson is IT admin with local admin rights
– No previous detections on this host
– COM hijacking common persistence technique
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Defender alert
Microsoft 365 Defender
Confirmed COM hijacking attempt
2. Immediate Containment
Isolate host
Defender
Host quarantined
3. Malware Analysis
Analyze comhijack.dll
CrowdStrike Sandbox
DLL with reverse shell capability
4. Registry Restore
Revert COM hijack
PowerShell, Regedit
Registry key restored to original value
5. User Interview
Contact user
Teams, Phone
User unaware; clicked phishing link earlier
6. Threat Hunting
Check for other COM hijacks
Defender, Splunk
No other hosts affected
Jira Incident Report
Ticket: SOC-2024-070
Summary: T1559 – COM Hijacking Persistence Attempt via Malicious DLL
Status: RESOLVED
Resolution: MALICIOUS – Persistence Blocked
Priority: P2 – MEDIUM
Labels: T1559, inter-process-communication, com-hijacking, persistence, defender
Components: Endpoint-Security, Malware-Response
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Microsoft Defender for Endpoint.
Alert: “COM Hijacking for Persistence Detected”.
Host: IT-WS-034 (IT Department, user mrobinson).
Time: 2024-02-13 11:45 EST.
Technique: MITRE ATT&CK T1559 – Inter-Process Communication.
2. Technical Analysis:
Attack Chain:
11:30 – User clicked phishing link (fake IT support page)
11:31 – Downloaded and executed malicious PowerShell script
11:39 – PowerShell created comhijack.dll in temp folder
11:40 – Registry modified for COM hijacking
11:45 – Defender detected and alerted
COM Hijacking Details:
CLSID: {00024512-0000-0000-C000-000000000046} (Microsoft Office component)
Original DLL: C:\Windows\System32\ole32.dll
Malicious DLL: C:\Users\mrobinson\AppData\Local\Temp\comhijack.dll
Trigger: Any Office application start (Word, Excel, etc.)
Persistence: Survives reboots; runs as user
Malicious DLL Analysis:
SHA256: a1b2c3d4e5f67890…
Function: When loaded, it:
Checks if already running (mutex)
Establishes reverse shell to 185.143.221[.]89:443
Downloads additional payload
Injects into legitimate process
User Activity:
User clicked link in email claiming “IT Security Alert”
Downloaded “security_update.ps1” and ran it
Believed it was legitimate IT communication
3. Investigation Findings:
Timeline:
11:30 – User clicks phishing link
11:31 – Downloads and runs security_update.ps1
11:39 – comhijack.dll created
11:40 – Registry modified
11:45 – Defender alert triggers
11:46 – Host isolated
Indicators of Compromise (IoCs):
Files:
– security_update.ps1 (SHA256: b2c3d4e5f6…)
– comhijack.dll (SHA256: a1b2c3d4e5f6…)
Registry:
– HKLM\SOFTWARE\Classes\CLSID\{00024512-0000-0000-C000-000000000046}\InprocServer32
Network:
– C2: 185.143.221[.]89:443
4. Containment Actions:
Immediate Actions:
Isolated host via Defender.
Restored registry key to original value.
Deleted comhijack.dll and security_update.ps1.
Blocked C2 IP at firewall.
User Remediation:
User password reset.
Phishing awareness training assigned.
Host Remediation:
Full scan completed (no other malware).
No reimage needed (persistence removed).
5. Root Cause Analysis:
Primary Cause: User downloaded and executed malicious script from phishing email.
Contributing Factors:
User had local admin rights (allowed registry modification).
No ASR rule blocking Office child processes.
Phishing email bypassed filters.
6. Business Impact:
Operational Impact: IT workstation offline for 2 hours.
Data Exposure: None (C2 blocked before connection).
7. Remediation & Prevention:
Completed Actions:
Persistence removed.
Host cleaned.
User educated.
C2 blocked.
Technical Controls Enhanced:
Removed local admin rights from standard users.
Enabled ASR rule “Block persistence via WMI and COM”.
Enhanced PowerShell logging.
Deployed phishing simulation for IT department.
8. Conclusion:
Attackers used a phishing email to trick an IT admin into running a malicious script that established COM hijacking persistence. Defender detected the registry modification and isolated the host before any C2 communication occurred.
Closure Rationale: Persistence removed; host cleaned; user educated.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-13 13:00 EST
End of Batch 6
Ready for your next batch of prompts whenever you are.
Batch 7: Execution & Persistence Incident Reports (Continued)
Here are the next 5 detailed SOC incident reports.