COM Object Hijacking Via Modification Of Default System CLSID Default Value

calendar Oct 23, 2025 · attack.privilege-escalation attack.persistence attack.t1546.015  ·
Share on: linkedin copy

Detects potential COM object hijacking via modification of default system CLSID.

Sigma rule (View on GitHub)

 1title: COM Object Hijacking Via Modification Of Default System CLSID Default Value
 2id: 790317c0-0a36-4a6a-a105-6e576bf99a14
 3related:
 4    - id: 3d968d17-ffa4-4bc0-bfdc-f139de76ce77
 5      type: obsolete
 6    - id: a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12
 7      type: obsolete
 8status: experimental
 9description: Detects potential COM object hijacking via modification of default system CLSID.
10references:
11    - https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea)
12    - https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/
13    - https://blog.talosintelligence.com/uat-5647-romcom/
14    - https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/darkhotel-a-cluster-of-groups-united-by-common-techniques
15    - https://threatbook.io/blog/Analysis-of-APT-C-60-Attack-on-South-Korea
16    - https://catalyst.prodaft.com/public/report/inside-the-latest-espionage-campaign-of-nebulous-mantis
17    - https://github.com/rtecCyberSec/BitlockMove
18    - https://cert.gov.ua/article/6284080
19author: Nasreddine Bencherchali (Nextron Systems)
20date: 2024-07-16
21modified: 2025-07-01
22tags:
23    - attack.privilege-escalation
24    - attack.persistence
25    - attack.t1546.015
26logsource:
27    category: registry_set
28    product: windows
29detection:
30    selection_target_root:
31        TargetObject|contains: '\CLSID\'
32        TargetObject|endswith:
33            - '\InprocServer32\(Default)'
34            - '\LocalServer32\(Default)'
35    selection_target_builtin_clsid:
36        TargetObject|contains:
37            # Note: Add other legitimate CLSID
38            - '\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\'
39            - '\{2155fee3-2419-4373-b102-6843707eb41f}\'
40            - '\{4590f811-1d3a-11d0-891f-00aa004b2e24}\'
41            - '\{4de225bf-cf59-4cfc-85f7-68b90f185355}\'
42            - '\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\'
43            - '\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\'
44            - '\{F82B4EF1-93A9-4DDE-8015-F7950A1A6E31}\'
45            - '\{7849596a-48ea-486e-8937-a2a3009f31a9}\'
46            - '\{0b91a74b-ad7c-4a9d-b563-29eef9167172}\'
47            - '\{603D3801-BD81-11d0-A3A5-00C04FD706EC}\'
48            - '\{30D49246-D217-465F-B00B-AC9DDD652EB7}\'
49            - '\{A7A63E5C-3877-4840-8727-C1EA9D7A4D50}\'
50            - '\{2227A280-3AEA-1069-A2DE-08002B30309D}\'
51            - '\{2DEA658F-54C1-4227-AF9B-260AB5FC3543}\'
52    selection_susp_location_1:
53        Details|contains:
54            # Note: Add more suspicious paths and locations
55            - ':\Perflogs\'
56            - '\AppData\Local\'
57            - '\Desktop\'
58            - '\Downloads\'
59            - '\Microsoft\Windows\Start Menu\Programs\Startup\'
60            - '\System32\spool\drivers\color\' # as seen in the knotweed blog
61            - '\Temporary Internet'
62            - '\Users\Public\'
63            - '\Windows\Temp\'
64            - '%appdata%'
65            - '%temp%'
66            - '%tmp%'
67    selection_susp_location_2:
68        - Details|contains|all:
69              - ':\Users\'
70              - '\Favorites\'
71        - Details|contains|all:
72              - ':\Users\'
73              - '\Favourites\'
74        - Details|contains|all:
75              - ':\Users\'
76              - '\Contacts\'
77        - Details|contains|all:
78              - ':\Users\'
79              - '\Pictures\'
80    condition: all of selection_target_* and 1 of selection_susp_location_*
81falsepositives:
82    - Unlikely
83level: high

References

Related rules

to-top