Merge PR #5026 from @X-Junior - Update `COM Object Hijacking Via Modi…

…fication Of Default System CLSID Default Value` update : COM Object Hijacking Via Modification Of Default System CLSID Default Value - Add new suspicious locations and builtin CLSID --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
SigmaHQ · Oct 1, 2024 · 1f1f31e · 1f1f31e
1 parent 08c52c3
commit 1f1f31e
Showing 1 changed file with 23 additions and 5 deletions.
diff --git a/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml b/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml
@@ -9,42 +9,60 @@ status: experimental
 description: Detects potential COM object hijacking via modification of default system CLSID.
 references:
     - https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea)
+    - https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2024-07-16
+modified: 2024-10-01
 tags:
     - attack.persistence
     - attack.t1546.015
 logsource:
     category: registry_set
     product: windows
 detection:
-    selection_target:
+    selection_target_root:
         TargetObject|contains: '\CLSID\'
         TargetObject|endswith:
             - '\InprocServer32\(Default)'
             - '\LocalServer32\(Default)'
-    selection_builtin_clsid:
+    selection_target_builtin_clsid:
         TargetObject|contains:
             # Note: Add other legitimate CLSID
             - '\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\'
             - '\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\'
             - '\{4590f811-1d3a-11d0-891f-00aa004b2e24}\'
             - '\{4de225bf-cf59-4cfc-85f7-68b90f185355}\'
             - '\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\'
-    selection_locations:
+            - '\{2155fee3-2419-4373-b102-6843707eb41f}\'
+    selection_susp_location_1:
         Details|contains:
             # Note: Add more suspicious paths and locations
-            - '\AppData\Local\Temp\'
+            - ':\Perflogs\'
+            - '\AppData\Local\'
             - '\Desktop\'
             - '\Downloads\'
             - '\Microsoft\Windows\Start Menu\Programs\Startup\'
             - '\System32\spool\drivers\color\' # as seen in the knotweed blog
+            - '\Temporary Internet'
             - '\Users\Public\'
             - '\Windows\Temp\'
             - '%appdata%'
             - '%temp%'
             - '%tmp%'
-    condition: all of selection_*
+    selection_susp_location_2:
+        - Details|contains|all:
+              - ':\Users\'
+              - '\Favorites\'
+        - Details|contains|all:
+              - ':\Users\'
+              - '\Favourites\'
+        - Details|contains|all:
+              - ':\Users\'
+              - '\Contacts\'
+        - Details|contains|all:
+              - ':\Users\'
+              - '\Pictures\'
+    condition: all of selection_target_* and 1 of selection_susp_location_*
 falsepositives:
     - Unlikely
 level: high