Potential PSFactoryBuffer COM Hijacking

calendar Oct 23, 2025 · attack.privilege-escalation attack.persistence attack.t1546.015  ·
Share on: linkedin copy

Detects changes to the PSFactory COM InProcServer32 registry. This technique was used by RomCom to create persistence storing a malicious DLL.

Sigma rule (View on GitHub)

 1title: Potential PSFactoryBuffer COM Hijacking
 2id: 243380fa-11eb-4141-af92-e14925e77c1b
 3status: test
 4description: Detects changes to the PSFactory COM InProcServer32 registry. This technique was used by RomCom to create persistence storing a malicious DLL.
 5references:
 6    - https://blogs.blackberry.com/en/2023/06/romcom-resurfaces-targeting-ukraine
 7    - https://strontic.github.io/xcyclopedia/library/clsid_C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6.html
 8    - https://www.virustotal.com/gui/file/6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d/detection
 9    - https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html
10author: BlackBerry Threat Research and Intelligence Team - @Joseliyo_Jstnk
11date: 2023-06-07
12modified: 2023-08-17
13tags:
14    - attack.privilege-escalation
15    - attack.persistence
16    - attack.t1546.015
17logsource:
18    category: registry_set
19    product: windows
20detection:
21    selection:
22        TargetObject|endswith: '\CLSID\{c90250f3-4d7d-4991-9b69-a5c5bc1c2ae6}\InProcServer32\(Default)'
23    filter_main:
24        Details:
25            - '%windir%\System32\ActXPrxy.dll'
26            - 'C:\Windows\System32\ActXPrxy.dll'
27    condition: selection and not filter_main
28falsepositives:
29    - Unknown
30level: high

References

Related rules

to-top