COM Object Hijacking Via Modification Of Default System CLSID Default Value

 1title: COM Object Hijacking Via Modification Of Default System CLSID Default Value
 2id: 790317c0-0a36-4a6a-a105-6e576bf99a14
 3related:
 4    - id: 3d968d17-ffa4-4bc0-bfdc-f139de76ce77
 5      type: obsolete
 6    - id: a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12
 7      type: obsolete
 8status: experimental
 9description: Detects potential COM object hijacking via modification of default system CLSID.
10references:
11    - https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea)
12    - https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/
13    - https://blog.talosintelligence.com/uat-5647-romcom/
14    - https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/darkhotel-a-cluster-of-groups-united-by-common-techniques
15    - https://threatbook.io/blog/Analysis-of-APT-C-60-Attack-on-South-Korea
16    - https://catalyst.prodaft.com/public/report/inside-the-latest-espionage-campaign-of-nebulous-mantis
17author: Nasreddine Bencherchali (Nextron Systems)
18date: 2024-07-16
19modified: 2025-05-06
20tags:
21    - attack.persistence
22    - attack.t1546.015
23logsource:
24    category: registry_set
25    product: windows
26detection:
27    selection_target_root:
28        TargetObject|contains: '\CLSID\'
29        TargetObject|endswith:
30            - '\InprocServer32\(Default)'
31            - '\LocalServer32\(Default)'
32    selection_target_builtin_clsid:
33        TargetObject|contains:
34            # Note: Add other legitimate CLSID
35            - '\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\'
36            - '\{2155fee3-2419-4373-b102-6843707eb41f}\'
37            - '\{4590f811-1d3a-11d0-891f-00aa004b2e24}\'
38            - '\{4de225bf-cf59-4cfc-85f7-68b90f185355}\'
39            - '\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\'
40            - '\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\'
41            - '\{F82B4EF1-93A9-4DDE-8015-F7950A1A6E31}\'
42            - '\{7849596a-48ea-486e-8937-a2a3009f31a9}\'
43            - '\{0b91a74b-ad7c-4a9d-b563-29eef9167172}\'
44            - '\{603D3801-BD81-11d0-A3A5-00C04FD706EC}\'
45            - '\{30D49246-D217-465F-B00B-AC9DDD652EB7}\'
46    selection_susp_location_1:
47        Details|contains:
48            # Note: Add more suspicious paths and locations
49            - ':\Perflogs\'
50            - '\AppData\Local\'
51            - '\Desktop\'
52            - '\Downloads\'
53            - '\Microsoft\Windows\Start Menu\Programs\Startup\'
54            - '\System32\spool\drivers\color\' # as seen in the knotweed blog
55            - '\Temporary Internet'
56            - '\Users\Public\'
57            - '\Windows\Temp\'
58            - '%appdata%'
59            - '%temp%'
60            - '%tmp%'
61    selection_susp_location_2:
62        - Details|contains|all:
63              - ':\Users\'
64              - '\Favorites\'
65        - Details|contains|all:
66              - ':\Users\'
67              - '\Favourites\'
68        - Details|contains|all:
69              - ':\Users\'
70              - '\Contacts\'
71        - Details|contains|all:
72              - ':\Users\'
73              - '\Pictures\'
74    condition: all of selection_target_* and 1 of selection_susp_location_*
75falsepositives:
76    - Unlikely
77level: high

References

• https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea)

  
  Read More

• Inside SnipBot: The Latest RomCom Malware Variant

  

  We deconstruct SnipBot, a variant of RomCom malware. Its authors, who target diverse sectors, seem to be aiming for espionage instead of financial gain. We deconstruct SnipBot, a variant of RomCom malware. Its authors, who target diverse sectors, seem to be aiming for espionage instead of financial gain.

  
  Read More

• UAT-5647 targets Ukrainian and Polish entities with RomCom malware variants

  

  Cisco Talos has observed a new wave of attacks active since at least late 2023, from a Russian speaking group we track as “UAT-5647”, against Ukrainian government entities and unknown Polish entities

  
  Read More

• DarkHotel. A cluster of groups united by common techniques

  

  In early September 2024, specialists at the Threat Intelligence (TI) Department of Positive Technologies Expert Security Center (PT ESC) uncovered a suspicious VHDX virtual disk image—an extremely rare occurrence when viewing a data stream. Following analysis of the VHDX and all its associated files, they were able to attribute the attack to the APT-C-60 group. ThreatBook experts described one of the latest similar campaigns in July 2023. However, the PT ESC team has found some differences from that earlier campaign both in the file hierarchy on the disk and in the commands and tools used. In this article, we have outlined the structure of the files on the virtual disk, the analysis of the attack chain, the search for additional files, the reasons why we believe this attack can be attributed to the APT-C-60 group, as well as how these attackers are connected to the DarkHotel group.

  
  Read More

• Analysis of APT-C-60 Attack on South Korea

  

  
  Read More

• Prodaft CATALYST

  
  Read More

Related rules

• COM Hijacking via TreatAs
• Potential COM Object Hijacking Via TreatAs Subkey - Registry
• Potential PSFactoryBuffer COM Hijacking
• Potential Persistence Using DebugPath
• Potential Persistence Via Scrobj.dll COM Hijacking