COM Object Hijacking Via Modification Of Default System CLSID Default Value
Detects potential COM object hijacking via modification of default system CLSID.
Sigma rule (View on GitHub)
1title: COM Object Hijacking Via Modification Of Default System CLSID Default Value
2id: 790317c0-0a36-4a6a-a105-6e576bf99a14
3related:
4 - id: 3d968d17-ffa4-4bc0-bfdc-f139de76ce77
5 type: obsolete
6 - id: a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12
7 type: obsolete
8status: experimental
9description: Detects potential COM object hijacking via modification of default system CLSID.
10references:
11 - https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea)
12 - https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/
13author: Nasreddine Bencherchali (Nextron Systems)
14date: 2024-07-16
15modified: 2024-10-01
16tags:
17 - attack.persistence
18 - attack.t1546.015
19logsource:
20 category: registry_set
21 product: windows
22detection:
23 selection_target_root:
24 TargetObject|contains: '\CLSID\'
25 TargetObject|endswith:
26 - '\InprocServer32\(Default)'
27 - '\LocalServer32\(Default)'
28 selection_target_builtin_clsid:
29 TargetObject|contains:
30 # Note: Add other legitimate CLSID
31 - '\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\'
32 - '\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\'
33 - '\{4590f811-1d3a-11d0-891f-00aa004b2e24}\'
34 - '\{4de225bf-cf59-4cfc-85f7-68b90f185355}\'
35 - '\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\'
36 - '\{2155fee3-2419-4373-b102-6843707eb41f}\'
37 selection_susp_location_1:
38 Details|contains:
39 # Note: Add more suspicious paths and locations
40 - ':\Perflogs\'
41 - '\AppData\Local\'
42 - '\Desktop\'
43 - '\Downloads\'
44 - '\Microsoft\Windows\Start Menu\Programs\Startup\'
45 - '\System32\spool\drivers\color\' # as seen in the knotweed blog
46 - '\Temporary Internet'
47 - '\Users\Public\'
48 - '\Windows\Temp\'
49 - '%appdata%'
50 - '%temp%'
51 - '%tmp%'
52 selection_susp_location_2:
53 - Details|contains|all:
54 - ':\Users\'
55 - '\Favorites\'
56 - Details|contains|all:
57 - ':\Users\'
58 - '\Favourites\'
59 - Details|contains|all:
60 - ':\Users\'
61 - '\Contacts\'
62 - Details|contains|all:
63 - ':\Users\'
64 - '\Pictures\'
65 condition: all of selection_target_* and 1 of selection_susp_location_*
66falsepositives:
67 - Unlikely
68level: high
References
Related rules
- COM Hijacking via TreatAs
- Potential COM Object Hijacking Via TreatAs Subkey - Registry
- Potential PSFactoryBuffer COM Hijacking
- Potential Persistence Using DebugPath
- Potential Persistence Via Scrobj.dll COM Hijacking