Create a COM server

Hunt Hypothesis

The creation of a COM server may indicate an adversary establishing a persistence mechanism or executing malicious code through a legitimate system component. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential covert operations or malware leveraging COM interfaces for persistence and execution.

YARA Rule

rule create_com_service {
    meta:
        author = "x0r"
        description = "Create a COM server"
	version = "0.1"
    strings:
        $c1 = "DllCanUnloadNow" nocase
        $c2 = "DllGetClassObject"
        $c3 = "DllInstall"
        $c4 = "DllRegisterServer"
        $c5 = "DllUnregisterServer"
    condition:
        all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled Task to Register a COM Component
  Description: A system administrator schedules a task to register a legitimate COM component using regsvr32.exe or regasm.exe.
  Filter/Exclusion: Check for regsvr32.exe or regasm.exe in the command line, and verify if the COM server is part of a known enterprise tool (e.g., Microsoft Office, Adobe Acrobat).
  Example Filter: process.name = "regsvr32.exe" and process.args contains "regasm.exe"

• Scenario: Windows Service Installation
  Description: A legitimate Windows service is installed that requires creating a COM server as part of its setup process.
  Filter/Exclusion: Check for installation scripts or MSI packages that are known to be part of enterprise software (e.g., Microsoft SQL Server, IIS).
  Example Filter: process.name contains "msiexec.exe" or process.name contains "setup.exe"

• Scenario: Admin Task to Configure COM Interop
  Description: An administrator uses PowerShell or a script to configure COM interop settings for a .NET application.
  Filter/Exclusion: Filter for PowerShell scripts that reference known enterprise applications or COM servers.
  Example Filter: process.name = "powershell.exe" and process.args contains "Register-ComObject"

• Scenario: Legacy Application Compatibility Setup
  Description: A legacy application is being configured for compatibility with newer systems, which involves creating a COM server as part of the compatibility layer.
  Filter/Exclusion: Check for known legacy applications (e.g., Visual Basic 6.0, older .NET applications) and their associated COM components.
  Example Filter: process.name = "mscomctl.ocx" or process.name = "msvbvm60.dll"