COM Object Hijacking Via Modification Of Default System CLSID Default Value

    Wednesday, October 30, 2024 In: Threat Research Print

    Date: 10/30/2024

    Severity: Low

    Summary

    Identifies potential COM object hijacking through changes to the default system CLSID.

    Indicators of Compromise (IOC) List

    TargetObject : 

    '\CLSID\'

    '\InprocServer32\(Default)'

    '\LocalServer32\(Default)'

    '\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\'

    '\{2155fee3-2419-4373-b102-6843707eb41f}\'

    '\{4590f811-1d3a-11d0-891f-00aa004b2e24}\'

    '\{4de225bf-cf59-4cfc-85f7-68b90f185355}\'

    '\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\'

    '\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\'

    '\{F82B4EF1-93A9-4DDE-8015-F7950A1A6E31}\'

    Details :

    ':\Perflogs\'

    '\AppData\Local\'

    '\Desktop\'

    '\Downloads\'

    '\Microsoft\Windows\Start Menu\Programs\Startup\'

    '\System32\spool\drivers\color\' 

    '\Temporary Internet'

    '\Users\Public\'

    '\Windows\Temp\'

    '%appdata%'

    '%temp%'

    '%tmp%'

    ':\Users\'

    '\Favorites\'

    '\Favourites\'

    '\Contacts\'

    '\Pictures\'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1:

    resourcename = "Windows Security" and Eventtype = "4657" and objectname In ("\CLSID","\InprocServer32\(Default)","\LocalServer32\(Default)","\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}","\{2155fee3-2419-4373-b102-6843707eb41f}","\{4590f811-1d3a-11d0-891f-00aa004b2e24}","\{4de225bf-cf59-4cfc-85f7-68b90f185355}","\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}","\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}","\{F82B4EF1-93A9-4DDE-8015-F7950A1A6E31}",":\Perflogs","\AppData\Local","\Desktop","\Downloads","\Microsoft\Windows\Start Menu\Programs\Startup","\System32\spool\drivers\color","\Temporary Internet","\Users\Public","\Windows\Temp","%appdata%","%temp%","%tmp%",":\Users","\Favorites","\Favourites","\Contacts","\Pictures")

    Detection Query 2:

    technologygroup = "EDR" AND objectname In ("\CLSID","\InprocServer32\(Default)","\LocalServer32\(Default)","\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}","\{2155fee3-2419-4373-b102-6843707eb41f}","\{4590f811-1d3a-11d0-891f-00aa004b2e24}","\{4de225bf-cf59-4cfc-85f7-68b90f185355}","\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}","\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}","\{F82B4EF1-93A9-4DDE-8015-F7950A1A6E31}",":\Perflogs","\AppData\Local","\Desktop","\Downloads","\Microsoft\Windows\Start Menu\Programs\Startup","\System32\spool\drivers\color","\Temporary Internet","\Users\Public","\Windows\Temp","%appdata%","%temp%","%tmp%",":\Users","\Favorites","\Favourites","\Contacts","\Pictures")

    Reference:

    https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml 


    Tags

    MalwareSigmaCOM Object Hijacking

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.