Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhighexperimental

COM Object Hijacking Via Modification Of Default System CLSID Default Value

Detects potential COM object hijacking via modification of default system CLSID.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Nasreddine Bencherchali (Nextron Systems)Created Tue Jul 16Updated Mon Nov 10790317c0-0a36-4a6a-a105-6e576bf99a14windows
Log Source
WindowsRegistry Set
ProductWindows← raw: windows
CategoryRegistry Set← raw: registry_set
Detection Logic
Detection Logic4 selectors
detection:
    selection_target_root:
        TargetObject|contains: '\CLSID\'
        TargetObject|endswith:
            - '\InprocServer32\(Default)'
            - '\LocalServer32\(Default)'
    selection_target_builtin_clsid:
        TargetObject|contains:
            # Note: Add other legitimate CLSID
            - '\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\'
            - '\{2155fee3-2419-4373-b102-6843707eb41f}\'
            - '\{4590f811-1d3a-11d0-891f-00aa004b2e24}\'
            - '\{4de225bf-cf59-4cfc-85f7-68b90f185355}\'
            - '\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\'
            - '\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\'
            - '\{F82B4EF1-93A9-4DDE-8015-F7950A1A6E31}\'
            - '\{7849596a-48ea-486e-8937-a2a3009f31a9}\'
            - '\{0b91a74b-ad7c-4a9d-b563-29eef9167172}\'
            - '\{603D3801-BD81-11d0-A3A5-00C04FD706EC}\'
            - '\{30D49246-D217-465F-B00B-AC9DDD652EB7}\'
            - '\{A7A63E5C-3877-4840-8727-C1EA9D7A4D50}\'
            - '\{2227A280-3AEA-1069-A2DE-08002B30309D}\'
            - '\{2DEA658F-54C1-4227-AF9B-260AB5FC3543}\'
            - '\{AA509086-5Ca9-4C25-8F95-589D3C07B48A}\'
    selection_susp_location_1:
        Details|contains:
            # Note: Add more suspicious paths and locations
            - ':\Perflogs\'
            - '\AppData\Local\'
            - '\Desktop\'
            - '\Downloads\'
            - '\Microsoft\Windows\Start Menu\Programs\Startup\'
            - '\System32\spool\drivers\color\' # as seen in the knotweed blog
            - '\Temporary Internet'
            - '\Users\Public\'
            - '\Windows\Temp\'
            - '%appdata%'
            - '%temp%'
            - '%tmp%'
    selection_susp_location_2:
        - Details|contains|all:
              - ':\Users\'
              - '\Favorites\'
        - Details|contains|all:
              - ':\Users\'
              - '\Favourites\'
        - Details|contains|all:
              - ':\Users\'
              - '\Contacts\'
        - Details|contains|all:
              - ':\Users\'
              - '\Pictures\'
    condition: all of selection_target_* and 1 of selection_susp_location_*
False Positives
Unlikely

False positives are unlikely for most environments. High confidence detection.

References
1
Resolving title…
microsoft.com
2
Resolving title…
unit42.paloaltonetworks.com
3
Resolving title…
blog.talosintelligence.com
4
Resolving title…
global.ptsecurity.com
5
Resolving title…
threatbook.io
6
Resolving title…
catalyst.prodaft.com
7
Resolving title…
github.com
8
Resolving title…
cert.gov.ua
9
Resolving title…
securelist.com
MITRE ATT&CK
Related Rules
Similar

3d968d17-ffa4-4bc0-bfdc-f139de76ce77

Rule not found
Similar

a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12

Rule not found
Rule Metadata
Rule ID
790317c0-0a36-4a6a-a105-6e576bf99a14
Status
experimental
Level
high
Type
Detection
Created
Tue Jul 16
Modified
Mon Nov 10
Author
Nasreddine Bencherchali (Nextron Systems)
Path
rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml
Raw Tags
attack.privilege-escalationattack.persistenceattack.t1546.015
View on GitHub