This technique, detailed in research from March 2025, leverages legitimate Windows functionality to establish persistence and evade traditional security controls, marking a significant evolution in attack methodologies. The technique allows trapped COM objects to execute .NET managed code within the context of server-side DCOM processes, potentially leading to privilege escalation and Protected Process Light (PPL) bypass. Security professionals recommend monitoring for CLR load events within svchost.exe processes, detecting registry manipulations of specific COM-related keys, and implementing host-based firewall restrictions to mitigate this emerging threat vector. A sophisticated technique was recently detected by researchers where attackers abuse Component Object Model (COM) objects to execute fileless malware for lateral movement across networks. This allows for dynamic loading of malicious .NET assemblies via Assembly.Load over DCOM, with execution occurring entirely in memory within a Protected Process Light svchost.exe context. Their research showcases how attackers can leverage DCOM to remotely manipulate registry settings and execute malicious code without leaving obvious artifacts on disk. IBM analysts identified that this attack methodology builds upon research from James Forshaw of Google Project Zero, who in February 2025 detailed a novel approach for abusing Distributed COM (DCOM) remoting technology. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The technique’s potency stems from its ability to operate within legitimate Windows processes, specifically targeting the WaaSMedicSvc service that executes within a protected svchost.exe process with SYSTEM privileges. The attack begins with manipulation of remote registry settings to enable .NET reflection over DCOM by setting AllowDCOMReflection and OnlyUseLatestCLR values in the target’s HKLM\Software\Microsoft.NetFramework registry path. The attack exploits the Component Object Model (COM), a binary interface standard developed in the early 1990s that remains integral to modern Windows operating systems. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Security researchers Dylan Tran and Jimmy Bayne subsequently expanded on this approach to develop a proof-of-concept demonstrating fileless lateral movement capabilities. Tushar is a Cyber security content editor with a passion for creating captivating and informative content.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 27 Mar 2025 11:25:20 +0000