.. /
Dllhost.exe
Used by Windows to DLL Surrogate COM Objects
Paths:
- C:\Windows\System32\dllhost.exe
- C:\Windows\SysWOW64\dllhost.exe
Resources:
https://twitter.com/CyberRaiju/status/1167415118847598594
https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08
Acknowledgement:
Jai Minton - @CyberRaiju
Nasreddine Bencherchali - @nas_bench
Detection:
Execute
Use dllhost.exe to load a registered or hijacked COM Server payload.
dllhost.exe /Processid:{CLSID}
Usecase:Execute a DLL Surrogate COM Object.
Privileges required:User
OS:Windows 10 (and likely previous versions)
Mitre:T1546.015