COM Object Hijacking Via Modification Of Default System CLSID Default Value

TargetObject : 

'\CLSID\'

'\InprocServer32\(Default)'

'\LocalServer32\(Default)'

'\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\'

'\{2155fee3-2419-4373-b102-6843707eb41f}\'

'\{4590f811-1d3a-11d0-891f-00aa004b2e24}\'

'\{4de225bf-cf59-4cfc-85f7-68b90f185355}\'

'\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\'

'\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\'

'\{F82B4EF1-93A9-4DDE-8015-F7950A1A6E31}\'

'\{7849596a-48ea-486e-8937-a2a3009f31a9}\'

'\{0b91a74b-ad7c-4a9d-b563-29eef9167172}\'

'\{603D3801-BD81-11d0-A3A5-00C04FD706EC}\'

':\Perflogs\'

'\AppData\Local\'

'\Desktop\'

'\Downloads\'

'\Microsoft\Windows\Start Menu\Programs\Startup\'

'\System32\spool\drivers\color\' # as seen in the knotweed blog

'\Temporary Internet'

'\Users\Public\'

'\Windows\Temp\'

'%appdata%'

'%temp%'

'%tmp%'

 ':\Users\'

'\Favorites\'

'\Favourites\'

'\Contacts\'

'\Pictures\'

Detection Query : 

(resourcename = "Windows Security" and eventtype = "4657") AND ((objectname like "\CLSID" and (objectname like "\InprocServer32\(Default)" or objectname like "\LocalServer32\(Default)" ) ) AND (objectname like "\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}" OR objectname like "\{2155fee3-2419-4373-b102-6843707eb41f}" or objectname like "\{4590f811-1d3a-11d0-891f-00aa004b2e24}" or objectname like "\{4de225bf-cf59-4cfc-85f7-68b90f185355}" or objectname like "\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}" or objectname like "\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}" or objectname like "\{F82B4EF1-93A9-4DDE-8015-F7950A1A6E31}" or objectname like "\{7849596a-48ea-486e-8937-a2a3009f31a9}" or objectname like "\{0b91a74b-ad7c-4a9d-b563-29eef9167172}" or objectname like "\{603D3801-BD81-11d0-A3A5-00C04FD706EC}" )) AND (objectname In (":\Perflogs","\AppData\Local","\Desktop","\Downloads","\Microsoft\Windows\Start Menu\Programs\Startup","\System32\spool\drivers\color","\Temporary Internet","\Users\Public","\Windows\Temp","%appdata%","%temp%","%tmp%")) OR ((objectname like ":\Users" and objectname like "\Favorites") or (objectname like ":\Users" and obejctname like "\Favourites") or (objectname like ":\Users" and obejctname like "\Contacts") or (objectname like ":\Users" and obejctname like "\Pictures"))

Detection Query : 

(technologygroup = "EDR") AND ((objectname like "\CLSID" and (objectname like "\InprocServer32\(Default)" or objectname like "\LocalServer32\(Default)" ) ) AND (objectname like "\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}" OR objectname like "\{2155fee3-2419-4373-b102-6843707eb41f}" or objectname like "\{4590f811-1d3a-11d0-891f-00aa004b2e24}" or objectname like "\{4de225bf-cf59-4cfc-85f7-68b90f185355}" or objectname like "\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}" or objectname like "\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}" or objectname like "\{F82B4EF1-93A9-4DDE-8015-F7950A1A6E31}" or objectname like "\{7849596a-48ea-486e-8937-a2a3009f31a9}" or objectname like "\{0b91a74b-ad7c-4a9d-b563-29eef9167172}" or objectname like "\{603D3801-BD81-11d0-A3A5-00C04FD706EC}" )) AND (objectname In (":\Perflogs","\AppData\Local","\Desktop","\Downloads","\Microsoft\Windows\Start Menu\Programs\Startup","\System32\spool\drivers\color","\Temporary Internet","\Users\Public","\Windows\Temp","%appdata%","%temp%","%tmp%")) OR ((objectname like ":\Users" and objectname like "\Favorites") or (objectname like ":\Users" and obejctname like "\Favourites") or (objectname like ":\Users" and obejctname like "\Contacts") or (objectname like ":\Users" and obejctname like "\Pictures"))