Listen to this Post

Introduction:
For years, security analysts and incident responders have spotted `dllhost.exe` running on Windows systems and asked a critical question: what is it actually executing? Often mistaken for a standalone LOLBIN (Living Off the Land Binary), the truth is far more nuanced. Recent reverse engineering research reveals that Dllhost is merely a thin wrapper around CoRegisterSurrogateEx, with the real execution logic residing inside `combase.dll` – a distinction that fundamentally changes how defenders should monitor this process.
Learning Objectives:
- Understand the true architecture of `dllhost.exe` and its relationship with COM surrogate execution
- Learn to differentiate between benign COM activity and malicious abuse using registry and process forensics
- Master practical commands and detection rules to audit Dllhost behavior in enterprise environments
You Should Know:
- Dissecting Dllhost: From CLI to Registry – What Really Executes
Contrary to popular belief, `dllhost.exe` does not directly execute DLLs. The original research by Nasreddine B. demonstrates that Dllhost is simply a stub around `CoRegisterSurrogateEx` in combase.dll. When a COM object requests a surrogate host, `combase.dll` handles the actual loading and execution. This means you cannot use `dllhost.exe /Processid:{GUID}` as a direct LOLBIN to run arbitrary DLLs – the registry configuration dictates the behavior.
Step‑by‑step guide to verify Dllhost’s true role:
1. Launch Dllhost manually and observe its behavior:
dllhost.exe /Processid:{00000000-0000-0000-0000-000000000000}
Without a valid registered COM surrogate entry, the process exits immediately – proving it cannot act as a generic DLL runner.
- Trace the loaded modules using a tool like `tasklist` or Process Explorer:
Get-Process -Name dllhost | Select-Object -ExpandProperty Modules | Where-Object ModuleName -like "combase"
This confirms that `combase.dll` is loaded and performs the actual work.
-
Inspect the COM surrogate registry keys where the real payload is defined:
reg query HKCR\AppID{GUID} /v DllSurrogateIf the `DllSurrogate` value is empty or contains a string, that dictates whether `dllhost.exe` is invoked. The actual DLL path is stored under the `CLSID` key:
reg query HKCR\CLSID{GUID}\InprocServer32 /v (Default)
Linux alternative (for cross‑platform COM understanding): Wine implements COM surrogate behaviour via `winecompat` – inspect with:
strings /usr/lib/wine/combase.dll.so | grep -i surrogate
What this means for defenders: Monitoring `dllhost.exe` command lines is insufficient. You must track registry reads of `CLSID` and `AppID` keys, and monitor `combase.dll` API calls like `CoRegisterSurrogateEx` and CoGetSurrogate.
2. Registry Forensics: Hunting Malicious COM Surrogates
Attackers may attempt to abuse COM surrogacy by registering malicious DLLs under a new CLSID and setting `DllSurrogate` to an empty string (forcing `dllhost.exe` to act as the surrogate). Use these investigative steps to detect such abuse.
Step‑by‑step registry hunting guide:
- Enumerate all CLSID entries with a non‑empty DllSurrogate value (indicating an out‑of‑process surrogate):
Get-ChildItem HKCR:\CLSID -ErrorAction SilentlyContinue | ForEach-Object { $path = $<em>.PSPath + "\InprocServer32" $dll = (Get-ItemProperty -Path $path -Name "(Default)" -ErrorAction SilentlyContinue).'(Default)' $surrPath = $</em>.PSPath + "\LocalServer32" $surrogate = (Get-ItemProperty -Path $surrPath -Name "DllSurrogate" -ErrorAction SilentlyContinue).'DllSurrogate' if ($surrogate -ne $null) { [bash]@{CLSID=$_.PSChildName; DllPath=$dll; Surrogate=$surrogate} } } | Export-Csv -Path DllSurrogate_audit.csv -NoTypeInformation -
Check for suspicious DLL paths (e.g., in
Temp,AppData, orPublic):findstr /s /i ".dll" C:\temp\DllSurrogate_audit.csv
-
Monitor Dllhost process creation events with Sysmon Event ID 1 (process creation) and correlate with registry changes (Event ID 13 on Windows 10+ via
Microsoft-Windows-Kernel-Registry). -
Use PowerShell to detect unregistered or transient CLSIDs that spawn Dllhost:
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=1} | Where-Object {$<em>.Message -match "dllhost.exe"} | ForEach-Object { $proc = $</em>.Properties[bash].Value CommandLine if ($proc -match "/Processid:{([^}]+)}") { $guid = $matches[bash] Write-Host "Suspicious Dllhost with GUID: $guid" Check if GUID exists in registry if (-not (Test-Path "HKCR:\CLSID\$guid")) { Write-Warning "Unregistered CLSID used! Possible injection." } } } -
Why Dllhost Cannot Be a True LOLBIN – Technical Deep Dive
Living Off the Land Binaries rely on native executables that can execute arbitrary code, scripts, or DLLs via command‑line switches (e.g., rundll32.exe, regsvr32.exe). Dllhost lacks such direct invocation. The research conclusively shows that without a pre‑existing COM registration pointing to a specific DLL, Dllhost does nothing. This limitation forces adversaries to first write to the registry (requiring admin or specific privileges) – a high‑visibility action.
Step‑by‑step verification:
- Attempt to force Dllhost to load an arbitrary DLL using a fake CLSID:
dllhost.exe /Processid:{12345678-1234-1234-1234-123456789ABC}Result: Process exits immediately with no DLL load. Use Process Monitor to confirm:
procmon.exe /AcceptEula /BackingFile dllhost_trace.pml /LoadConfig
Filter on `Process Name` = `dllhost.exe` and `Operation` =
Load Image. No DLL loads occur.
2. Compare with a true LOLBIN like `rundll32.exe`:
rundll32.exe javascript:"..\mshtml,RunHTMLApplication ";alert('test')
This executes without any registry modification.
- Analyze the reverse engineering output from `combase.dll` to confirm the surrogate handling:
On Linux analysis box using radare2 or Ghidra r2 -A combase.dll > afl | grep -i surrogate > pdf @ sym.CoRegisterSurrogateEx
The disassembly shows that `CoRegisterSurrogateEx` expects an `ISurrogate` interface pointer – not a file path.
Key takeaway for detection engineering: Focus on `CoRegisterSurrogateEx` API calls via user‑land hooks or ETW (Event Tracing for Windows) provider Microsoft-Windows-COM. Alerts on registry writes to `HKCR\CLSID\\InprocServer32` combined with subsequent `dllhost.exe` child processes indicate abuse.
4. Practical Detection Rules for Dllhost Abuse
Given the technical constraints, attackers must perform at least two actions: register a malicious CLSID and then trigger COM activation. Build detection using Sigma rules and Sysmon.
Step‑by‑step detection engineering:
- Sigma rule to detect new COM surrogate registration (registry event):
title: Suspicious COM Surrogate Registration status: experimental logsource: product: windows service: security detection: selection: EventID: 4657 ObjectName|contains: '\CLSID\' ObjectName|endswith: '\InprocServer32' condition: selection
2. Monitor Dllhost network connections (abnormal outbound):
netstat -ano | findstr dllhost
In a live response, list all Dllhost processes and their parent:
Get-CimInstance Win32_Process | Where-Object Name -eq 'dllhost.exe' |
Select-Object ProcessId, ParentProcessId, CommandLine |
ForEach-Object {
$parent = Get-CimInstance Win32_Process -Filter "ProcessId=$($<em>.ParentProcessId)"
[bash]@{PID=$</em>.ProcessId; Parent=$parent.Name; Cmd=$_.CommandLine}
}
- Use Sysmon Event ID 7 (module load) to detect when `dllhost.exe` loads unexpected DLLs from non‑system paths:
<Sysmon eventid="7"> <Image condition="end with">dllhost.exe</Image> <ImageLoaded condition="begin with">C:\ProgramData\</ImageLoaded> </Sysmon>
5. Incident Response Workflow for Suspicious Dllhost Activity
When you see multiple `dllhost.exe` instances with odd command lines or high CPU, follow this IR checklist.
Step‑by‑step IR process:
- Collect all Dllhost process memory for offline analysis:
for /f "tokens=2" %i in ('tasklist /fi "imagename eq dllhost.exe" /fo csv /nh') do ( dumpit.exe %i dllhost_%i.dmp ) -
Extract loaded DLL list from each dump using `strings` and
findstr:strings dllhost_.dmp | findstr /i ".dll$" > loaded_dlls.txt
-
Check for hollowing or injection by comparing mapped sections:
Get-Process -Name dllhost | Get-ProcessMemory | Where-Object {$<em>.Name -notlike "combase" -and $</em>.Name -notlike "ntdll"} -
Correlate with network logs for any connections to suspicious IPs (use tools like
Sysmon Event ID 3):Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=3} | Where-Object {$_.Properties[bash].Value -like "dllhost"} | Format-List TimeCreated, Message
5. Rollback malicious registry changes if confirmed:
reg delete HKCR\CLSID{malicious-guid} /f
reg delete HKCR\AppID{malicious-appid} /f
What Undercode Say:
- Dllhost is a proxy, not an executor – The true execution engine resides in
combase.dll, making command‑line monitoring insufficient. - Registry is the real attack surface – Defenders must audit CLSID and `DllSurrogate` keys as the primary indicator of COM abuse.
Analysis: The research reshapes how we think about Windows LOLBINs. Many red teams have incorrectly listed `dllhost.exe` as a potential binary for executing arbitrary DLLs, but the technical reality is that without prior registry manipulation, it’s inert. This means blue teams can shift focus: rather than alerting on every Dllhost spawn, they should monitor for anomalous registry writes combined with process ancestry. Additionally, because `CoRegisterSurrogateEx` is called from combase.dll, using API‑level telemetry (like Microsoft’s Detours or Event Tracing) provides far higher fidelity than process creation logs.
Prediction:
As adversaries learn the limitations of Dllhost, we will likely see a decline in attempts to abuse it directly. Instead, expect a surge in attacks targeting the COM surrogate registration flow via `CoGetSurrogate` and `IRundown` interfaces – areas still lacking comprehensive logging. This will force Windows defenders to adopt user‑land API hooks or ETW providers for COM, driving a new generation of detection rules focused on interface pointer manipulation rather than process names. The days of trusting `dllhost.exe` as a simple LOLBIN are over; the future is in surrogate interface forensics.
▶️ Related Video (82% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Nasreddinebencherchali A – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


