T1559 – Inter-Process Communication (Microsoft Defender Detection)

by

Microsoft Defender Alert Details

Alert ID: MD-IPC-1559-7842
Alert Time: 2024-02-13 11:45:22 EST
Severity: HIGH (82/100)
Source: Microsoft Defender for Endpoint
Rule: “COM Hijacking for Persistence Detected”
MITRE ATT&CK: T1559 – Inter-Process Communication

Alert Details:

Detection: COM object hijacking attempt for persistence

Host: IT-WS-034 (IT Department)

User: mrobinson (Mike Robinson, IT Admin)

Time: 11:40 EST

Registry Modification:

– Key: HKLM\SOFTWARE\Classes\CLSID\{00024512-0000-0000-C000-000000000046}\InprocServer32

– Old Value: C:\Windows\System32\ole32.dll

– New Value: C:\Users\mrobinson\AppData\Local\Temp\comhijack.dll

– Time: 11:40:15 EST

Process Activity:

– Process: powershell.exe (PID: 3241)

  – Command: reg add HKLM\SOFTWARE\Classes\CLSID\{00024512-0000-0000-C000-000000000046}\InprocServer32 /ve /d C:\Users\mrobinson\AppData\Local\Temp\comhijack.dll /f

– Parent: explorer.exe (PID: 1123)

File Creation:

– File: C:\Users\mrobinson\AppData\Local\Temp\comhijack.dll

– SHA256: a1b2c3d4e5f67890…

– Creation Time: 11:39:50 EST

DLL Analysis:

– Malicious DLL designed to load when any application uses the COM class

– COM class {00024512-0000-0000-C000-000000000046} is Microsoft Office component

– When Office starts, it loads this DLL, giving attacker persistence

– DLL contains shellcode to call back to C2

Network Connection:

– No immediate connection; persistence mechanism only

– C2 embedded in DLL: 185.143.221[.]89:443

Additional Context:

– User mrobinson is IT admin with local admin rights

– No previous detections on this host

– COM hijacking common persistence technique

SOC Investigation Process

StepActionTools UsedFindings
1. Alert ValidationVerify Defender alertMicrosoft 365 DefenderConfirmed COM hijacking attempt
2. Immediate ContainmentIsolate hostDefenderHost quarantined
3. Malware AnalysisAnalyze comhijack.dllCrowdStrike SandboxDLL with reverse shell capability
4. Registry RestoreRevert COM hijackPowerShell, RegeditRegistry key restored to original value
5. User InterviewContact userTeams, PhoneUser unaware; clicked phishing link earlier
6. Threat HuntingCheck for other COM hijacksDefender, SplunkNo other hosts affected

Jira Incident Report

Ticket: SOC-2024-070
Summary: T1559 – COM Hijacking Persistence Attempt via Malicious DLL
Status: RESOLVED
Resolution: MALICIOUS – Persistence Blocked
Priority: P2 – MEDIUM
Labels: T1559, inter-process-communication, com-hijacking, persistence, defender
Components: Endpoint-Security, Malware-Response

INCIDENT ANALYSIS REPORT

1. Initial Context:

  • Detection Source: Microsoft Defender for Endpoint.
  • Alert: “COM Hijacking for Persistence Detected”.
  • Host: IT-WS-034 (IT Department, user mrobinson).
  • Time: 2024-02-13 11:45 EST.
  • Technique: MITRE ATT&CK T1559 – Inter-Process Communication.

2. Technical Analysis:

  • Attack Chain:

11:30 – User clicked phishing link (fake IT support page)

11:31 – Downloaded and executed malicious PowerShell script

11:39 – PowerShell created comhijack.dll in temp folder

11:40 – Registry modified for COM hijacking

11:45 – Defender detected and alerted

  • COM Hijacking Details:
  • CLSID: {00024512-0000-0000-C000-000000000046} (Microsoft Office component)
  • Original DLL: C:\Windows\System32\ole32.dll
  • Malicious DLL: C:\Users\mrobinson\AppData\Local\Temp\comhijack.dll
  • Trigger: Any Office application start (Word, Excel, etc.)
  • Persistence: Survives reboots; runs as user
  • Malicious DLL Analysis:
  • SHA256: a1b2c3d4e5f67890…
  • Function: When loaded, it:
    • Checks if already running (mutex)
    • Establishes reverse shell to 185.143.221[.]89:443
    • Downloads additional payload
    • Injects into legitimate process
  • User Activity:
  • User clicked link in email claiming “IT Security Alert”
  • Downloaded “security_update.ps1” and ran it
  • Believed it was legitimate IT communication

3. Investigation Findings:

  • Timeline:

11:30 – User clicks phishing link

11:31 – Downloads and runs security_update.ps1

11:39 – comhijack.dll created

11:40 – Registry modified

11:45 – Defender alert triggers

11:46 – Host isolated

  • Indicators of Compromise (IoCs):

Files:

– security_update.ps1 (SHA256: b2c3d4e5f6…)

– comhijack.dll (SHA256: a1b2c3d4e5f6…)

Registry:

– HKLM\SOFTWARE\Classes\CLSID\{00024512-0000-0000-C000-000000000046}\InprocServer32

Network:

– C2: 185.143.221[.]89:443

4. Containment Actions:

  • Immediate Actions:
  • Isolated host via Defender.
  • Restored registry key to original value.
  • Deleted comhijack.dll and security_update.ps1.
  • Blocked C2 IP at firewall.
  • User Remediation:
  • User password reset.
  • Phishing awareness training assigned.
  • Host Remediation:
  • Full scan completed (no other malware).
  • No reimage needed (persistence removed).

5. Root Cause Analysis:

  • Primary Cause: User downloaded and executed malicious script from phishing email.
  • Contributing Factors:
  1. User had local admin rights (allowed registry modification).
  2. No ASR rule blocking Office child processes.
  3. Phishing email bypassed filters.

6. Business Impact:

  • Operational Impact: IT workstation offline for 2 hours.
  • Data Exposure: None (C2 blocked before connection).

7. Remediation & Prevention:

Completed Actions:

  • checkedPersistence removed.
  • checkedHost cleaned.
  • checkedUser educated.
  • checkedC2 blocked.

Technical Controls Enhanced:

  • checkedRemoved local admin rights from standard users.
  • checkedEnabled ASR rule “Block persistence via WMI and COM”.
  • checkedEnhanced PowerShell logging.
  • checkedDeployed phishing simulation for IT department.

8. Conclusion:

Attackers used a phishing email to trick an IT admin into running a malicious script that established COM hijacking persistence. Defender detected the registry modification and isolated the host before any C2 communication occurred.

Closure Rationale: Persistence removed; host cleaned; user educated.

Analyst: [Walter White], SOC Analyst
Date: 2024-02-13 13:00 EST

Leave a Comment