From 1967d9b8ef172909a599e414f8bb943e3662ec3f Mon Sep 17 00:00:00 2001 From: grimlockx Date: Sat, 29 Mar 2025 17:38:27 -0400 Subject: [PATCH] Added more generic potential HKCU CLSID COM hijacking rule --- ..._persistence_com_hijacking_hkcu_sysmon.yml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_hkcu_sysmon.yml diff --git a/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_hkcu_sysmon.yml b/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_hkcu_sysmon.yml new file mode 100644 index 00000000000..b60202404d3 --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_hkcu_sysmon.yml @@ -0,0 +1,29 @@ +title: Potential HKCU CLSID COM Hijacking - Sysmon +id: 75cfcdfc-eb43-4e66-939a-5fe7af137ae6 +related: + - id: 790317c0-0a36-4a6a-a105-6e576bf99a14 + type: derived +status: experimental +description: Detects potential COM object hijacking via modification of HKCU. +references: + - https://hexastrike.com/resources/blog/dfir/com-hijacking-from-a-defenders-perspective/ + - https://attack.mitre.org/techniques/T1546/015/ + - https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/ + - https://blog.talosintelligence.com/uat-5647-romcom/ + - https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html + - https://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044/ +author: Maurice Fielenbach (Hexastrike Cybersecurity) +date: 2025-03-25 +tags: + - attack.persistence + - attack.t1546.015 +logsource: + category: registry_set + product: windows + service: sysmon +detection: + TargetObject|regex: 'HKU\\.*CLSID\\.*(InprocServer|LocalServer)(32)?\\\(Default\)' + EventID: 13 +falsepositives: + - Installation of new applications. +level: medium \ No newline at end of file