OpenCTI または OpenAEV プラットフォームを 30 日間お試しいただけます。 無料トライアル
XTM Hub by Filigranサインイン

Possible dllhost.exe Spawning Detected

Endpoint Security Validation
Detection Rule Validation

概要

Possible dllhost.exe Spawning Detected

🔍 Overview

This scenario simulates suspicious activity related to dllhost.exe (COM Surrogate), a legitimate Windows process that can be abused by attackers through COM object enumeration, COM execution, and COM hijacking techniques.

The scenario leverages Atomic Red Team payloads to reproduce behaviors that may lead to unexpected or anomalous dllhost.exe execution, which is a common indicator of Living-off-the-Land (LOLBins) abuse and stealthy execution paths.

🧪 Atomic Red Team Payloads Used

This scenario is composed of the following Atomic Red Team injects, each contributing to suspicious COM-related behavior:

1️⃣ Enumerate COM Objects in Registry with PowerShell 🔎 Enumerates COM class registrations in the Windows Registry, a common pre-abuse reconnaissance step prior to COM hijacking or proxy execution.

2️⃣ AMSI Bypass – Override AMSI via COM 🛑 Demonstrates how COM objects can be abused to bypass AMSI, enabling stealthy PowerShell execution that may later result in COM Surrogate activity.

3️⃣ PowerShell MsXml COM Object – With Prompt 🧩 Instantiates the MSXML COM object via PowerShell to perform network or script execution, which can trigger dllhost.exe as a COM Surrogate process.

4️⃣ PowerShell Execute COM Object ⚙️ Executes a COM object directly from PowerShell, simulating proxy execution via trusted Windows components.

5️⃣ COM Hijacking via TreatAs 🛠️ Abuses the TreatAs registry key to redirect legitimate COM object execution to attacker-controlled components, often resulting in dllhost.exe loading unexpected code.

6️⃣ COM Hijacking – InprocServer32 📦 Modifies the InprocServer32 registry value to hijack COM execution and force the loading of a malicious or non-standard DLL.

7️⃣ COM Hijacking with RunDLL32 (Local Server Switch) 🔁 Demonstrates a hybrid technique where COM hijacking leads to execution through proxy binaries, potentially involving dllhost.exe during COM resolution.

🧠 MITRE ATT&CK Mapping

Primary Techniques

  • T1546.015 – Event Triggered Execution: Component Object Model Hijacking

  • T1218 – System Binary Proxy Execution

Supporting Techniques

  • T1059.001 – PowerShell
  • T1112 – Modify Registry
  • T1562.001 – Impair Defenses (AMSI Bypass)

基本情報

Filigran
Sébastien Miguel
2026年7月01日
2.0.14
70+
5

    当社は、XTM Hubの機能を動作させ、その利用状況を把握し、ユーザー体験を向上させるためにクッキーを使用しています。必須のクッキーは常に有効になっています。また、ユーザーの同意を得た上で、機能、パフォーマンス、分析、およびマーケティングを目的としたオプションのクッキーも使用しています。 すべてのクッキーを受け入れる、すべてを拒否する、または許可するオプションのクッキーを選択することができます。「クッキー設定」から、いつでも設定を変更できます。詳細については、当社のクッキーポリシーをご覧ください。