COM Object Hijacking Via Modification Of Default System CLSID Default Value

calendar Jul 1, 2025 · attack.persistence attack.t1546.015  ·
Share on: linkedin copy

Detects potential COM object hijacking via modification of default system CLSID.

Sigma rule (View on GitHub)

 1title: COM Object Hijacking Via Modification Of Default System CLSID Default Value
 2id: 790317c0-0a36-4a6a-a105-6e576bf99a14
 3related:
 4    - id: 3d968d17-ffa4-4bc0-bfdc-f139de76ce77
 5      type: obsolete
 6    - id: a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12
 7      type: obsolete
 8status: experimental
 9description: Detects potential COM object hijacking via modification of default system CLSID.
10references:
11    - https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea)
12    - https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/
13    - https://blog.talosintelligence.com/uat-5647-romcom/
14    - https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/darkhotel-a-cluster-of-groups-united-by-common-techniques
15    - https://threatbook.io/blog/Analysis-of-APT-C-60-Attack-on-South-Korea
16    - https://catalyst.prodaft.com/public/report/inside-the-latest-espionage-campaign-of-nebulous-mantis
17    - https://github.com/rtecCyberSec/BitlockMove
18    - https://cert.gov.ua/article/6284080
19author: Nasreddine Bencherchali (Nextron Systems)
20date: 2024-07-16
21modified: 2025-07-01
22tags:
23    - attack.persistence
24    - attack.t1546.015
25logsource:
26    category: registry_set
27    product: windows
28detection:
29    selection_target_root:
30        TargetObject|contains: '\CLSID\'
31        TargetObject|endswith:
32            - '\InprocServer32\(Default)'
33            - '\LocalServer32\(Default)'
34    selection_target_builtin_clsid:
35        TargetObject|contains:
36            # Note: Add other legitimate CLSID
37            - '\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\'
38            - '\{2155fee3-2419-4373-b102-6843707eb41f}\'
39            - '\{4590f811-1d3a-11d0-891f-00aa004b2e24}\'
40            - '\{4de225bf-cf59-4cfc-85f7-68b90f185355}\'
41            - '\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\'
42            - '\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\'
43            - '\{F82B4EF1-93A9-4DDE-8015-F7950A1A6E31}\'
44            - '\{7849596a-48ea-486e-8937-a2a3009f31a9}\'
45            - '\{0b91a74b-ad7c-4a9d-b563-29eef9167172}\'
46            - '\{603D3801-BD81-11d0-A3A5-00C04FD706EC}\'
47            - '\{30D49246-D217-465F-B00B-AC9DDD652EB7}\'
48            - '\{A7A63E5C-3877-4840-8727-C1EA9D7A4D50}\'
49            - '\{2227A280-3AEA-1069-A2DE-08002B30309D}\'
50            - '\{2DEA658F-54C1-4227-AF9B-260AB5FC3543}\'
51    selection_susp_location_1:
52        Details|contains:
53            # Note: Add more suspicious paths and locations
54            - ':\Perflogs\'
55            - '\AppData\Local\'
56            - '\Desktop\'
57            - '\Downloads\'
58            - '\Microsoft\Windows\Start Menu\Programs\Startup\'
59            - '\System32\spool\drivers\color\' # as seen in the knotweed blog
60            - '\Temporary Internet'
61            - '\Users\Public\'
62            - '\Windows\Temp\'
63            - '%appdata%'
64            - '%temp%'
65            - '%tmp%'
66    selection_susp_location_2:
67        - Details|contains|all:
68              - ':\Users\'
69              - '\Favorites\'
70        - Details|contains|all:
71              - ':\Users\'
72              - '\Favourites\'
73        - Details|contains|all:
74              - ':\Users\'
75              - '\Contacts\'
76        - Details|contains|all:
77              - ':\Users\'
78              - '\Pictures\'
79    condition: all of selection_target_* and 1 of selection_susp_location_*
80falsepositives:
81    - Unlikely
82level: high

References

Related rules

to-top