{"id":50230,"date":"2016-06-06T15:34:47","date_gmt":"2016-06-06T22:34:47","guid":{"rendered":"https:\/\/blogs.mcafee.com\/?p=50230"},"modified":"2025-06-06T01:51:42","modified_gmt":"2025-06-06T08:51:42","slug":"threat-actors-employ-com-technology-shellcode-evade-detection","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/threat-actors-employ-com-technology-shellcode-evade-detection\/","title":{"rendered":"Threat Actors Employ COM Technology in Shellcode to Evade Detection"},"content":{"rendered":"

COM (Component Object Model) is a technology in Microsoft Windows that enables software components to communicate with each other; it is one of the fundamental architectures in Windows. From the security point of view, several “features” built into COM have lead to many security vulnerabilities. These features include ActiveX (an Internet Explorer plug-in technology), the brokers on Internet Explorer Protected Mode and Enhanced Protected Mode, and\u00a0OLE (Object Linking and Embedding), which we analyzed and presented<\/a>\u00a0at last year’s Black Hat USA conference.<\/p>\n

For a local system, there are two\u00a0types of COM objects. One we call in-process COM, for this type the server and the client run in the same process. The other is cross-process COM, for this type the server and the client run in different processes.<\/p>\n

In this post we will focus on cross-process COM. The following is an\u00a0illustration from the Microsoft Developer Network<\/a>\u00a0showing one process talking with another process via COM (called COM marshaling).<\/p>\n

\"\"<\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

From the security defense perspective, we have seen COM-related tricks in malware<\/a> samples that abuse COM technology to hide from detection and remain persistent. However, for exploits, as far as we know, there have been no reports.<\/p>\n

At McAfee we have recently analyzed a number of interesting samples. The exploited vulnerabilities and the dropped malware are not new. However, from an exploit detection perspective, we now see shellcode employing COM technology to perform post-exploitation operations after successfully exploiting the vulnerability. Specifically, Windows Management Instrumentation (WMI) objects\u2014which can be accessed through COM\u2014are used to execute the dropped malware.<\/p>\n

Pseudocode<\/h2>\n

We have reverse-engineered the shellcode. The following pseudocode does the trick:<\/p>\n

\/\/Instantiate the COM object<\/em>
\n CoCreateInstance(CLSID_WbemLocator,0, CLSCTX_INPROC_SERVER, IID_IWbemLocator, (LPVOID *) &pLoc);<\/em><\/p>\n

\/\/Connect the WMI namespace<\/em>
\n pLoc->ConnectServer(_bstr_t(L”ROOT\\\\CIMV2″),NULL,NULL,0,NULL,0,0,&pSvc);<\/em><\/p>\n

\/\/Set the authentication information<\/em>
\n CoSetProxyBlanket(<\/em>
\n pSvc,<\/em>
\n RPC_C_AUTHN_WINNT,<\/em>
\n RPC_C_AUTHZ_NONE,<\/em>
\n NULL,<\/em>
\n RPC_C_AUTHN_LEVEL_CALL,<\/em>
\n RPC_C_IMP_LEVEL_IMPERSONATE,<\/em>
\n NULL,<\/em>
\n EOAC_NONE<\/em>
\n );<\/em><\/p>\n

\/\/Get the WMI class<\/em>
\n pSvc->GetObject(L”Win32_Process”, 0, NULL, &pClass, NULL);<\/em><\/p>\n

\/\/Get the method on this classs<\/em>
\n pClass->GetMethod(L”Create”, 0, &pInParamsDefinition, NULL);<\/em><\/p>\n

\/\/Create a new instance of the class<\/em>
\n pInParamsDefinition->SpawnInstance(0, &pClassInstance);<\/em><\/p>\n

\/\/Put the parameter (the path of the dropped malware)<\/em>
\n VARIANT varCommand;<\/em>
\n varCommand.vt = VT_BSTR;<\/em>
\n varCommand.bstrVal = _bstr_t(L”C:\\\\Users\\\\USER1\\\\AppData\\\\Local\\\\Temp\\\\..\\\\Mozilla\\\\ffupd.exe<\/strong>“);<\/em>
\n pClassInstance->Put(L”CommandLine”, 0, &varCommand, 0);<\/em><\/p>\n

\/\/Finally, execute the dropped malware<\/em><\/strong>
\n hres = pSvc->ExecMethod<\/strong>(L”Win32_Process”, L”Create”, 0,NULL, pClassInstance, &pOutParams, NULL);<\/em><\/p>\n

Why would the threat actors do this? We conclude the purpose is to evade behavior-based detection. Most behavior-based detection products today, regardless whether on a\u00a0user\u2019s system or in a sandbox, are able to catch a suspicious process launched directly by the “monitored” process (the monitored process is the vulnerable process such as a Word or Internet Explorer process). This can be done many ways, such as hooking some sensitive Windows APIs such as CreateProcess()<\/em>.<\/p>\n

However, the preceding\u00a0WMI (COM) object is not implemented in the same vulnerable process; instead, it is implemented in a separate\u00a0process: C:\\Windows\\system32\\wbem\\wmiprvse.exe<\/em>. When the attacker tries to instantiate the WMI object, a new process, wmiprvse.exe (called the COM server), will be launched from the system service process svchost.exe. Later, wmiprvse.exe will be used to execute the dropped malware (ffupd.exe).<\/p>\n

The following illustrates the process.<\/p>\n

<\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

The point is that the main process that runs the dropped malware is not the vulnerable process (winword.exe, in this example), but the\u00a0new, legitimate process wmiprvse.exe, which does not have a direct relationship with the vulnerable process. You won’t find anything wrong if you just monitor the vulnerable process or look at the “parent-child process relationship” on\u00a0the system.<\/p>\n

Is this a new attacking technique? COM technology is not new; in fact, it is a “common technology” on Windows. One\u00a0Black Hat paper<\/a> (page 15) dates the specific attacking technique to 2011. However, the samples show us that the bad guys are now implementing this technique in real-world attacking operations. Their goal, of course, is to bypass various behavior-based detections on endpoints or in sandboxing systems.<\/p>\n

Although the WMI object in this example is not new, we must point out that this WMI object is only one of many potential \u201ccross-process\u201d COM objects in Windows that can be abused. The exploited vulnerabilities in the samples we analyzed are not new, but it is easy for attackers to copy such techniques when exploiting other new or zero-day vulnerabilities. Overall, we need a specific detection to defend against this style of attack.<\/p>\n

We hope this post will help our fellow security defenders to understand the attacking technique, recognize the challenge, and take action to\u00a0prepare for it. The MD5 hash of the analyzed sample is 72A7B4369E820DEB9D526C1F0E6294FB.<\/em><\/p>\n

Thanks to my colleagues Bing Sun and Stanley Zhu for their\u00a0help with the research and the post.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

COM (Component Object Model) is a technology in Microsoft Windows that enables software components to communicate with each other; it…<\/p>\n","protected":false},"author":610,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[4452,338],"coauthors":[2524],"class_list":["post-50230","post","type-post","status-publish","format-standard","hentry","category-mcafee-labs","tag-cybersecurity","tag-endpoint-protection"],"acf":[],"yoast_head":"\nThreat Actors Employ COM Technology in Shellcode to Evade Detection | McAfee Blog<\/title>\n<meta name=\"description\" content=\"COM (Component Object Model) is a technology in Microsoft Windows that enables software components to communicate with each other; it is one of the\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Threat Actors Employ COM Technology in Shellcode to Evade Detection | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"COM (Component Object Model) is a technology in Microsoft Windows that enables software components to communicate with each other; it is one of the\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/threat-actors-employ-com-technology-shellcode-evade-detection\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2016-06-06T22:34:47+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-06T08:51:42+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/image1-1.png\" \/>\n\t<meta property=\"og:image:width\" content=\"358\" \/>\n\t<meta property=\"og:image:height\" content=\"356\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Haifei Li\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Haifei Li\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/threat-actors-employ-com-technology-shellcode-evade-detection\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/threat-actors-employ-com-technology-shellcode-evade-detection\/\"},\"author\":{\"name\":\"Haifei Li\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/fd18845cc3f27ed398648df8cc802444\"},\"headline\":\"Threat Actors Employ COM Technology in Shellcode to Evade Detection\",\"datePublished\":\"2016-06-06T22:34:47+00:00\",\"dateModified\":\"2025-06-06T08:51:42+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/threat-actors-employ-com-technology-shellcode-evade-detection\/\"},\"wordCount\":869,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/threat-actors-employ-com-technology-shellcode-evade-detection\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/image1-1.png\",\"keywords\":[\"cybersecurity\",\"endpoint protection\"],\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/threat-actors-employ-com-technology-shellcode-evade-detection\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/threat-actors-employ-com-technology-shellcode-evade-detection\/\",\"name\":\"Threat Actors Employ COM Technology in Shellcode to Evade Detection | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/threat-actors-employ-com-technology-shellcode-evade-detection\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/threat-actors-employ-com-technology-shellcode-evade-detection\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/image1-1.png\",\"datePublished\":\"2016-06-06T22:34:47+00:00\",\"dateModified\":\"2025-06-06T08:51:42+00:00\",\"description\":\"COM (Component Object Model) is a technology in Microsoft Windows that enables software components to communicate with each other; it is one of the\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/threat-actors-employ-com-technology-shellcode-evade-detection\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/threat-actors-employ-com-technology-shellcode-evade-detection\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/threat-actors-employ-com-technology-shellcode-evade-detection\/#primaryimage\",\"url\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/image1-1.png\",\"contentUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/image1-1.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/threat-actors-employ-com-technology-shellcode-evade-detection\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Threat Actors Employ COM Technology in Shellcode to Evade Detection\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/fd18845cc3f27ed398648df8cc802444\",\"name\":\"Haifei Li\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/88c52c07fcacd190468a32af554e5f36\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/49ae79ecae2f1bff04cb595e12d9cc72?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/49ae79ecae2f1bff04cb595e12d9cc72?s=96&d=mm&r=g\",\"caption\":\"Haifei Li\"},\"sameAs\":[\"https:\/\/www.linkedin.com\/in\/haifeili\/\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/haifei-li\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Threat Actors Employ COM Technology in Shellcode to Evade Detection | McAfee Blog","description":"COM (Component Object Model) is a technology in Microsoft Windows that enables software components to communicate with each other; it is one of the","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Threat Actors Employ COM Technology in Shellcode to Evade Detection | McAfee Blog","og_description":"COM (Component Object Model) is a technology in Microsoft Windows that enables software components to communicate with each other; it is one of the","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/threat-actors-employ-com-technology-shellcode-evade-detection\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2016-06-06T22:34:47+00:00","article_modified_time":"2025-06-06T08:51:42+00:00","og_image":[{"width":358,"height":356,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/image1-1.png","type":"image\/png"}],"author":"Haifei Li","twitter_card":"summary_large_image","twitter_creator":"@McAfee","twitter_site":"@McAfee","twitter_misc":{"Written by":"Haifei Li","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/threat-actors-employ-com-technology-shellcode-evade-detection\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/threat-actors-employ-com-technology-shellcode-evade-detection\/"},"author":{"name":"Haifei Li","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/fd18845cc3f27ed398648df8cc802444"},"headline":"Threat Actors Employ COM Technology in Shellcode to Evade Detection","datePublished":"2016-06-06T22:34:47+00:00","dateModified":"2025-06-06T08:51:42+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/threat-actors-employ-com-technology-shellcode-evade-detection\/"},"wordCount":869,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/threat-actors-employ-com-technology-shellcode-evade-detection\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/image1-1.png","keywords":["cybersecurity","endpoint protection"],"articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/threat-actors-employ-com-technology-shellcode-evade-detection\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/threat-actors-employ-com-technology-shellcode-evade-detection\/","name":"Threat Actors Employ COM Technology in Shellcode to Evade Detection | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/threat-actors-employ-com-technology-shellcode-evade-detection\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/threat-actors-employ-com-technology-shellcode-evade-detection\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/image1-1.png","datePublished":"2016-06-06T22:34:47+00:00","dateModified":"2025-06-06T08:51:42+00:00","description":"COM (Component Object Model) is a technology in Microsoft Windows that enables software components to communicate with each other; it is one of the","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/threat-actors-employ-com-technology-shellcode-evade-detection\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/threat-actors-employ-com-technology-shellcode-evade-detection\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/threat-actors-employ-com-technology-shellcode-evade-detection\/#primaryimage","url":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/image1-1.png","contentUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/image1-1.png"},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/threat-actors-employ-com-technology-shellcode-evade-detection\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Threat Actors Employ COM Technology in Shellcode to Evade Detection"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/fd18845cc3f27ed398648df8cc802444","name":"Haifei Li","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/88c52c07fcacd190468a32af554e5f36","url":"https:\/\/secure.gravatar.com\/avatar\/49ae79ecae2f1bff04cb595e12d9cc72?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/49ae79ecae2f1bff04cb595e12d9cc72?s=96&d=mm&r=g","caption":"Haifei Li"},"sameAs":["https:\/\/www.linkedin.com\/in\/haifeili\/"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/haifei-li\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/50230","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/610"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=50230"}],"version-history":[{"count":2,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/50230\/revisions"}],"predecessor-version":[{"id":215183,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/50230\/revisions\/215183"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=50230"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=50230"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=50230"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=50230"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}