COM Object Hijacking Via Modification Of Default System CLSID Default Value
Detects potential COM object hijacking via modification of default system CLSID.
Sigma rule (View on GitHub)
1title: COM Object Hijacking Via Modification Of Default System CLSID Default Value
2id: 790317c0-0a36-4a6a-a105-6e576bf99a14
3related:
4 - id: 3d968d17-ffa4-4bc0-bfdc-f139de76ce77
5 type: obsolete
6 - id: a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12
7 type: obsolete
8status: experimental
9description: Detects potential COM object hijacking via modification of default system CLSID.
10references:
11 - https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea)
12 - https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/
13 - https://blog.talosintelligence.com/uat-5647-romcom/
14author: Nasreddine Bencherchali (Nextron Systems)
15date: 2024-07-16
16modified: 2024-10-18
17tags:
18 - attack.persistence
19 - attack.t1546.015
20logsource:
21 category: registry_set
22 product: windows
23detection:
24 selection_target_root:
25 TargetObject|contains: '\CLSID\'
26 TargetObject|endswith:
27 - '\InprocServer32\(Default)'
28 - '\LocalServer32\(Default)'
29 selection_target_builtin_clsid:
30 TargetObject|contains:
31 # Note: Add other legitimate CLSID
32 - '\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\'
33 - '\{2155fee3-2419-4373-b102-6843707eb41f}\'
34 - '\{4590f811-1d3a-11d0-891f-00aa004b2e24}\'
35 - '\{4de225bf-cf59-4cfc-85f7-68b90f185355}\'
36 - '\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\'
37 - '\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\'
38 - '\{F82B4EF1-93A9-4DDE-8015-F7950A1A6E31}\'
39 selection_susp_location_1:
40 Details|contains:
41 # Note: Add more suspicious paths and locations
42 - ':\Perflogs\'
43 - '\AppData\Local\'
44 - '\Desktop\'
45 - '\Downloads\'
46 - '\Microsoft\Windows\Start Menu\Programs\Startup\'
47 - '\System32\spool\drivers\color\' # as seen in the knotweed blog
48 - '\Temporary Internet'
49 - '\Users\Public\'
50 - '\Windows\Temp\'
51 - '%appdata%'
52 - '%temp%'
53 - '%tmp%'
54 selection_susp_location_2:
55 - Details|contains|all:
56 - ':\Users\'
57 - '\Favorites\'
58 - Details|contains|all:
59 - ':\Users\'
60 - '\Favourites\'
61 - Details|contains|all:
62 - ':\Users\'
63 - '\Contacts\'
64 - Details|contains|all:
65 - ':\Users\'
66 - '\Pictures\'
67 condition: all of selection_target_* and 1 of selection_susp_location_*
68falsepositives:
69 - Unlikely
70level: high
References
-
We deconstruct SnipBot, a variant of RomCom malware. Its authors, who target diverse sectors, seem to be aiming for espionage instead of financial gain. We deconstruct SnipBot, a variant of RomCom malware. Its authors, who target diverse sectors, seem to be aiming for espionage instead of financial gain.
Read More -
Cisco Talos has observed a new wave of attacks active since at least late 2023, from a Russian speaking group we track as “UAT-5647”, against Ukrainian government entities and unknown Polish entities
Read More
Related rules
- COM Hijacking via TreatAs
- Potential COM Object Hijacking Via TreatAs Subkey - Registry
- Potential PSFactoryBuffer COM Hijacking
- Potential Persistence Using DebugPath
- Potential Persistence Via Scrobj.dll COM Hijacking