COM Object Hijacking Via Modification Of Default System CLSID Default Value

Detects potential COM object hijacking via modification of default system CLSID.

Sigma rule (View on GitHub)

 1title: COM Object Hijacking Via Modification Of Default System CLSID Default Value
 2id: 790317c0-0a36-4a6a-a105-6e576bf99a14
 3related:
 4    - id: 3d968d17-ffa4-4bc0-bfdc-f139de76ce77
 5      type: obsolete
 6    - id: a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12
 7      type: obsolete
 8status: experimental
 9description: Detects potential COM object hijacking via modification of default system CLSID.
10references:
11    - https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea)
12    - https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/
13author: Nasreddine Bencherchali (Nextron Systems)
14date: 2024-07-16
15modified: 2024-10-01
16tags:
17    - attack.persistence
18    - attack.t1546.015
19logsource:
20    category: registry_set
21    product: windows
22detection:
23    selection_target_root:
24        TargetObject|contains: '\CLSID\'
25        TargetObject|endswith:
26            - '\InprocServer32\(Default)'
27            - '\LocalServer32\(Default)'
28    selection_target_builtin_clsid:
29        TargetObject|contains:
30            # Note: Add other legitimate CLSID
31            - '\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\'
32            - '\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\'
33            - '\{4590f811-1d3a-11d0-891f-00aa004b2e24}\'
34            - '\{4de225bf-cf59-4cfc-85f7-68b90f185355}\'
35            - '\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\'
36            - '\{2155fee3-2419-4373-b102-6843707eb41f}\'
37    selection_susp_location_1:
38        Details|contains:
39            # Note: Add more suspicious paths and locations
40            - ':\Perflogs\'
41            - '\AppData\Local\'
42            - '\Desktop\'
43            - '\Downloads\'
44            - '\Microsoft\Windows\Start Menu\Programs\Startup\'
45            - '\System32\spool\drivers\color\' # as seen in the knotweed blog
46            - '\Temporary Internet'
47            - '\Users\Public\'
48            - '\Windows\Temp\'
49            - '%appdata%'
50            - '%temp%'
51            - '%tmp%'
52    selection_susp_location_2:
53        - Details|contains|all:
54              - ':\Users\'
55              - '\Favorites\'
56        - Details|contains|all:
57              - ':\Users\'
58              - '\Favourites\'
59        - Details|contains|all:
60              - ':\Users\'
61              - '\Contacts\'
62        - Details|contains|all:
63              - ':\Users\'
64              - '\Pictures\'
65    condition: all of selection_target_* and 1 of selection_susp_location_*
66falsepositives:
67    - Unlikely
68level: high

References

Related rules

to-top