Explore the full potential of OpenCTI Enterprise Edition, start your 30 days free trial.Learn more
XTM Hub by FiligranSign In

Possible dllhost.exe Spawning Detected

Download
Vulnerability Assessment
Proactive Security
Technical

Overview

Possible dllhost.exe Spawning Detected

🔍 Overview

This scenario simulates suspicious activity related to dllhost.exe (COM Surrogate), a legitimate Windows process that can be abused by attackers through COM object enumeration, COM execution, and COM hijacking techniques.

The scenario leverages Atomic Red Team payloads to reproduce behaviors that may lead to unexpected or anomalous dllhost.exe execution, which is a common indicator of Living-off-the-Land (LOLBins) abuse and stealthy execution paths.

🧪 Atomic Red Team Payloads Used

This scenario is composed of the following Atomic Red Team injects, each contributing to suspicious COM-related behavior:

1️⃣ Enumerate COM Objects in Registry with PowerShell 🔎 Enumerates COM class registrations in the Windows Registry, a common pre-abuse reconnaissance step prior to COM hijacking or proxy execution.

2️⃣ AMSI Bypass – Override AMSI via COM 🛑 Demonstrates how COM objects can be abused to bypass AMSI, enabling stealthy PowerShell execution that may later result in COM Surrogate activity.

3️⃣ PowerShell MsXml COM Object – With Prompt 🧩 Instantiates the MSXML COM object via PowerShell to perform network or script execution, which can trigger dllhost.exe as a COM Surrogate process.

4️⃣ PowerShell Execute COM Object ⚙️ Executes a COM object directly from PowerShell, simulating proxy execution via trusted Windows components.

5️⃣ COM Hijacking via TreatAs 🛠️ Abuses the TreatAs registry key to redirect legitimate COM object execution to attacker-controlled components, often resulting in dllhost.exe loading unexpected code.

6️⃣ COM Hijacking – InprocServer32 📦 Modifies the InprocServer32 registry value to hijack COM execution and force the loading of a malicious or non-standard DLL.

7️⃣ COM Hijacking with RunDLL32 (Local Server Switch) 🔁 Demonstrates a hybrid technique where COM hijacking leads to execution through proxy binaries, potentially involving dllhost.exe during COM resolution.

🧠 MITRE ATT&CK Mapping

Primary Techniques

  • T1546.015 – Event Triggered Execution: Component Object Model Hijacking

  • T1218 – System Binary Proxy Execution

Supporting Techniques

  • T1059.001 – PowerShell
  • T1112 – Modify Registry
  • T1562.001 – Impair Defenses (AMSI Bypass)

Basic information

Filigran
Sébastien Miguel
January 23, 2026
2.0.14
30+
4