Potential PSFactoryBuffer COM Hijacking

Detects changes to the PSFactory COM InProcServer32 registry. This technique was used by RomCom to create persistence storing a malicious DLL.

Sigma rule (View on GitHub)

 1title: Potential PSFactoryBuffer COM Hijacking
 2id: 243380fa-11eb-4141-af92-e14925e77c1b
 3status: test
 4description: Detects changes to the PSFactory COM InProcServer32 registry. This technique was used by RomCom to create persistence storing a malicious DLL.
 5references:
 6    - https://blogs.blackberry.com/en/2023/06/romcom-resurfaces-targeting-ukraine
 7    - https://strontic.github.io/xcyclopedia/library/clsid_C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6.html
 8    - https://www.virustotal.com/gui/file/6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d/detection
 9    - https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html
10author: BlackBerry Threat Research and Intelligence Team - @Joseliyo_Jstnk
11date: 2023/06/07
12modified: 2023/08/17
13tags:
14    - attack.persistence
15    - attack.t1546.015
16logsource:
17    category: registry_set
18    product: windows
19detection:
20    selection:
21        TargetObject|endswith: '\CLSID\{c90250f3-4d7d-4991-9b69-a5c5bc1c2ae6}\InProcServer32\(Default)'
22    filter_main:
23        Details:
24            - '%windir%\System32\ActXPrxy.dll'
25            - 'C:\Windows\System32\ActXPrxy.dll'
26    condition: selection and not filter_main
27falsepositives:
28    - Unknown
29level: high

References

Related rules

to-top