Full Report
In this article, Cisco Talos presents DispatchLogger, a new open-source tool that delivers high visibility into late-bound IDispatch COM object interactions via transparent proxy interception.
Analysis Summary
# Tool/Technique: DispatchLogger
## Overview
DispatchLogger is an open-source instrumentation tool developed by Cisco Talos designed to provide deep visibility into late-bound IDispatch COM (Component Object Model) interactions. It functions by using transparent proxy interception to log the semantic meaning of high-level COM interactions, which are often opaque to traditional low-level API monitoring tools.
## Technical Details
- **Type:** Analysis Tool / Instrumentation Framework
- **Platform:** Windows (x86 and x64)
- **Capabilities:** Transparent API hooking, recursive COM object wrapping, and high-level method/parameter logging.
- **First Seen:** March 18, 2026 (Article Publication Date)
## MITRE ATT&CK Mapping
- **[TA0002 - Execution]**
- [T1059.001 - Command and Scripting Interpreter: PowerShell]
- [T1059.005 - Command and Scripting Interpreter: Visual Basic]
- [T1059.007 - Command and Scripting Interpreter: JavaScript]
- **[TA0007 - Discovery]**
- [T1082 - System Information Discovery]
- **[TA0005 - Defense Evasion]**
- [T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control] (Often performed via COM)
## Functionality
### Core Capabilities
- **Transparent Proxying:** Intercepts COM instantiation and returns a "proxy" object that the malware interacts with, believing it to be the legitimate Windows component.
- **COM Boundary Hooking:** Targets specific Windows APIs used to create objects:
- `CoCreateInstance`
- `CoGetClassObject`
- `GetActiveObject`
- `CoGetObject` / `MkParseDisplayName`
- `CLSIDFromProgID`
- **Recursive Object Wrapping:** Automatically wraps any new IDispatch objects returned by a method call, ensuring the instrumentation follows the entire chain of execution (the "object graph").
### Advanced Features
- **Class Factory Hooking:** Hooks `CoGetClassObject` and wraps `IClassFactory`. This allows the tool to capture scripts that request `IUnknown` before querying for `IDispatch`, a common behavior in `vbscript.dll` that bypasses simpler interception methods.
- **Semantic Logging:** Captures the actual method names and parameters (e.g., detecting WMI process creation) rather than just raw memory addresses or low-level kernel calls.
## Indicators of Compromise
*Note: As this is a defensive analysis tool, these indicators relate to its deployment during an investigation.*
- **File Names:** `DispatchLogger` (via Cisco Talos GitHub)
- **Behavioral Indicators:**
- Injection into target script host processes (`cscript.exe`, `wscript.exe`, `powershell.exe`).
- Use of API hooking on core COM DLLs (`ole32.dll`, `combase.dll`).
## Associated Threat Actors
This tool is used by **Malware Analysts and Researchers** to track various script-based threats. It is effective against malware categories including:
- **Windows Script Host Malware** (VBScript/JScript)
- **PowerShell-based Stealers/Loaders**
- **VBA Macro Downloader**
- **AutoIT Malware**
- **VB6 and .NET COM Interop** malware
## Detection Methods
- **Behavioral Detection:** Detecting the injection of the DispatchLogger DLL into a running process.
- **Self-Detection:** While designed to be transparent, advanced malware could potentially detect the proxy by performing strict timing attacks or checking for the presence of the hooks in `ole32.dll` memory space.
## Mitigation Strategies
- **Attack Surface Reduction:** Disable or restrict `WScript`/`CScript` if not required for business operations to prevent the execution of the scripts DispatchLogger is designed to analyze.
- **AppLocker/Windows Defender Application Control (WDAC):** Prevent unauthorized scripts from running.
- **Hardening:** Use Constrained Language Mode in PowerShell to limit COM access.
## Related Tools/Techniques
- **WMI Instrumentation:** DispatchLogger provides visibility into WMI calls made via COM.
- **API Hooking Frameworks:** Similar to MinHook or Detours, but specialized for COM interfaces.
- **De-obfuscators:** Often used in tandem with tools like `box-js` or script debuggers.