Full Report
SUMMARY Cybersecurity researchers at Deep Instinct have uncovered a novel and powerful Distributed Component Object Model (DCOM) based…
Analysis Summary
# Tool/Technique: DCOM Attack Exploiting Windows Installer
## Overview
A newly identified attack technique that abuses Distributed Component Object Model (DCOM) functionality by exploiting the Windows Installer service to establish a persistent backdoor access mechanism on compromised systems. This method leverages legitimate Windows components to maintain persistence.
## Technical Details
- Type: Technique (Exploitation Chain)
- Platform: Windows
- Capabilities: Achieves persistence, executes arbitrary code via manipulation of system components (DCOM and Windows Installer).
- First Seen: Information not explicitly available in context, only that it was recently identified by researchers.
## MITRE ATT&CK Mapping (Inferred based on description)
- TA0003 - Persistence
- T1547 - Boot or Logon Autostart Execution
- *Inferred: The mechanism likely involves registry persistence or manipulation of system startup components, but specific T1547 sub-techniques are not detailed.*
- TA0004 - Privilege Escalation
- T1548 - Abuse Elevation Control Mechanism
- *Inferred: Exploiting DCOM/Installer often involves elevated privileges to ensure persistence.*
*Note: Since the article provides only a high-level description of the attack exploiting DCOM and Windows Installer, the MITRE ATT&CK mappings above are educated inferences based on the description of achieving "backdoor access" via system component abuse.*
## Functionality
### Core Capabilities
- Bypassing typical security monitoring by utilizing trusted Windows services (DCOM and Windows Installer).
- Establishing a persistent backdoor presence.
### Advanced Features
- Focuses on low-level system components (DCOM interactions with the Windows Installer service) for stealthy execution and maintenance of access.
## Indicators of Compromise
- File Hashes: [Not specified in context]
- File Names: [Not specified in context]
- Registry Keys: [Not specified in context, but likely involves registry keys related to service configuration or DCOM settings]
- Network Indicators: [Not specified in context]
- Behavioral Indicators: [Unusual DCOM activity interacting with the Windows Installer service, potential creation of new services or scheduled tasks for persistence]
## Associated Threat Actors
- [Not specified in context] (Reported by Trend Micro researchers, but actors using this technique are not named.)
## Detection Methods
- [Signature-based detection: Not specified]
- [Behavioral detection: Monitoring for undocumented or suspicious DCOM interactions that trigger Windows Installer processes inappropriately.]
- [YARA rules if available: Not specified]
## Mitigation Strategies
- [Prevention measures: Applying latest security patches for Windows, particularly those addressing DCOM security flaws or Windows Installer vulnerabilities.]
- [Hardening recommendations: Implementing defenses against credential dumping and privilege escalation to prevent initial access that would allow the attacker to deploy this technique.]
## Related Tools/Techniques
- General DCOM Abuse techniques.
- Other persistence mechanisms leveraging legitimate Windows services (e.g., WMI event subscriptions, service hijacking).