Event Triggered Execution: Component Object Model Hijacking

Other sub-techniques of Event Triggered Execution (18)

ID	Name
ATAGS-T1069.001	Accessibility Features
ATAGS-T1069.002	AppCert DLLs
ATAGS-T1069.003	AppInit DLLs
ATAGS-T1069.004	Application Shimming
ATAGS-T1069.005	Change Default File Association
ATAGS-T1069.006	Component Object Model Hijacking
ATAGS-T1069.007	Emond
ATAGS-T1069.008	Image File Execution Options Injection
ATAGS-T1069.009	Installer Packages
ATAGS-T1069.010	LC_LOAD_DYLIB Addition
ATAGS-T1069.011	Netsh Helper DLL
ATAGS-T1069.012	PowerShell Profile
ATAGS-T1069.013	Python Startup Hooks
ATAGS-T1069.014	Screensaver
ATAGS-T1069.015	Trap
ATAGS-T1069.016	Udev Rules
ATAGS-T1069.017	Unix Shell Configuration Modification
ATAGS-T1069.018	Windows Management Instrumentation Event Subscription

Threat Actors may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. COM is a system within Windows to enable interaction between software components through the operating system. References to various COM objects are stored in the Registry.

ID: ATAGS-T1069.006

Sub-technique of: ATAGS-T1069

ⓘ

Tactic: Persistence

ⓘ

Targeted Components: Software

ⓘ

Responsibility: Provider

Created: 18 April 2026

Last Modified: 18 April 2026

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.