Home · Live brief · Daily brief 2026-06-28
Cisco Talos: a field guide to Windows COM abuse — ITaskService, BITS, WMI and DCOM as EDR-evasion primitives
Part of run 2026-06-28-1b30612a (intel · Claude Opus 4.8 (1M context))
Cisco Talos published a reverse-engineering primer (2026-06-25) on how Windows threats weaponise Component Object Model (COM) interfaces to hide operations inside legitimate service call stacks (Cisco Talos, 2026-06-25). Four technique classes with a shared detection gap — function calls routed through vtable indirection rather than direct API imports limit EDR visibility: ITaskService/ITaskScheduler persistence creates scheduled tasks with no visible schtasks.exe (T1053.005); IBackgroundCopyJob (BITS) moves C2/files attributed to the trusted BITS service process (T1197); IWbemLocator/WMI blends discovery into svchost.exe (T1082, T1518.001); and DCOM/IDispatch enables remote object activation for lateral movement (T1021.003). Families studied include Gh0stRAT (ITaskService persistence), Attor (BITS C2 + WMI), Qakbot (WMI) and WarmCookie (ITaskScheduler 1.0). The actionable takeaway for detection engineers: scheduled-task-creation rules keyed on schtasks.exe/PowerShell miss COM-based task creation, which emits different event logs; build coverage for task creation where the creating image is unexpected, WMI activity from non-system parents, and BITS jobs created by non-svchost processes.
“COM—a fundamental Windows inter-process communication and object activation mechanism—provides attackers convenient access to legitimate Windows functionality while obfuscating malicious activity behind indirect vtable calls” — Cisco Talos
“Task Scheduler COM interfaces (ITaskService, ITaskScheduler) enable scheduled task creation without visible schtasks.exe process execution” — Cisco Talos