Skip to content
.ca
sign in
4 mininfo

Intelligence Center

Cisco Talos introduced DispatchLogger, an open-source dynamic analysis tool designed to intercept and log late-bound COM automation calls. By utilizing transparent proxying and recursive object wrapping, the tool provides analysts with deep semantic visibility into script-based malware behavior, such as WMI abuse and fileless execution, effectively bypassing common script obfuscation techniques.

Conf:highAnalyzed:2026-03-19reports

Authors: David Zimmer, Cisco Talos

WMIAPI HookingCOM AutomationDispatchLoggermalware analysis

Source:Cisco Talos

Key Takeaways

  • Cisco Talos released DispatchLogger, an open-source tool for logging late-bound IDispatch COM object interactions.
  • The tool uses transparent proxy interception at the COM instantiation boundary to provide deep semantic visibility without modifying malware behavior.
  • Recursive object wrapping ensures complete tracking of object relationships, method invocations, and return values.
  • DispatchLogger provides 100% coverage for Windows Script Host, PowerShell COM, and AutoIT late-bound bindings.
  • The tool is highly effective for analyzing WMI-based attacks, Living-off-the-land (LOTL) techniques, fileless malware, and bypassing script obfuscation.

Affected Systems

  • Windows

Attack Chain

Script-based malware (e.g., VBScript, PowerShell) heavily leverages COM automation to interact with Windows components and execute payloads. The malware instantiates COM objects using functions like CoCreateInstance or CoGetClassObject, often requesting the IUnknown interface first before querying for IDispatch. Once bound, the malware invokes methods on these objects to perform malicious actions, such as spawning child processes via WMI (Win32_Process), manipulating the registry, or exfiltrating data, which traditionally obscures the originating script context from behavioral monitoring tools.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No
  • Platforms: DispatchLogger

The article introduces DispatchLogger, an open-source dynamic analysis tool that logs COM automation interactions, rather than providing static detection rules.

Detection Engineering Assessment

EDR Visibility: Medium — EDRs easily detect the resulting process creation (e.g., wmiprvse.exe spawning cmd.exe), but often lose the critical context of which specific script or parent process initiated the COM call. Network Visibility: Low — COM automation is primarily a local Inter-Process Communication (IPC) mechanism, though objects like MSXML2.XMLHTTP may generate observable network traffic. Detection Difficulty: Moderate — Tracing late-bound COM calls back to the originating script is difficult due to script obfuscation and the use of proxy processes like wmiprvse.exe, requiring specialized instrumentation like DispatchLogger for full semantic visibility.

Required Log Sources

  • Process Creation (Event ID 4688)
  • Sysmon Event ID 1 (Process Creation)
  • API Hooking/Instrumentation Logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for wmiprvse.exe spawning suspicious child processes (e.g., cmd.exe, powershell.exe), which may indicate WMI abuse via COM automation.Process Creation Events (Event ID 4688 / Sysmon Event ID 1)ExecutionMedium
Monitor for script interpreters (wscript.exe, cscript.exe) loading COM-related DLLs and subsequently making anomalous network connections.Network Connections / Image Load EventsCommand and ControlHigh

Control Gaps

  • Semantic visibility into late-bound COM object interactions
  • Tracing WMI process creation back to the originating script context

Key Behavioral Indicators

  • wscript.exe or cscript.exe execution
  • wmiprvse.exe spawning command shells
  • Instantiation of Scripting.FileSystemObject or WScript.Shell via scripts

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Deploy DispatchLogger in malware analysis sandboxes to improve visibility into script-based threats and extract deobfuscated IOCs.

Infrastructure Hardening

  • Restrict script execution (e.g., VBScript, JScript) using AppLocker or Windows Defender Application Control (WDAC).

User Protection

  • Change default file associations for script files (.vbs, .js, .wsf) to open in a text editor (e.g., notepad.exe) rather than executing via Windows Script Host.

Security Awareness

  • Train SOC analysts and reverse engineers on the use of COM automation in modern malware and how to analyze it using dynamic instrumentation tools.

MITRE ATT&CK Mapping

  • T1059.005 - Command and Scripting Interpreter: Visual Basic
  • T1059.001 - Command and Scripting Interpreter: PowerShell
  • T1047 - Windows Management Instrumentation
  • T1559.001 - Inter-Process Communication: Component Object Model

Additional IOCs

  • File Paths:
    • C:\Users\home\AppData\Local\Temp - Example temporary path retrieved via Scripting.FileSystemObject in the tool's log output.
  • Command Lines:
    • Purpose: Example of WMI process creation used by script-based malware to spawn a malicious payload. | Tools: WMI, cmd.exe | Stage: Execution | cmd.exe /c evil.exe
  • Other:
    • {0D43FE01-F093-11CF-8940-00A0C9054228} - CLSID for Scripting.FileSystemObject, frequently abused by script-based malware.
    • {72C24DD5-D70A-438B-8A42-98424B88AFB8} - CLSID for WScript.Shell, frequently abused by script-based malware.
    • MSXML2.XMLHTTP - ProgID used for network requests in script-based malware, visible in the tool's log output.

Related