From 1f1f31e99c3c1dd2ac21f471ca7ec67a923c3e87 Mon Sep 17 00:00:00 2001
From: Mohamed Ashraf <47338567+X-Junior@users.noreply.github.com>
Date: Tue, 1 Oct 2024 16:22:42 +0300
Subject: [PATCH] Merge PR #5026 from @X-Junior - Update `COM Object Hijacking
 Via Modification Of Default System CLSID Default Value`

update : COM Object Hijacking Via Modification Of Default System CLSID Default Value - Add new suspicious locations and builtin CLSID

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
---
 ..._set_persistence_com_hijacking_builtin.yml | 28 +++++++++++++++----
 1 file changed, 23 insertions(+), 5 deletions(-)

diff --git a/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml b/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml
index 1d115015d..0e8c8291a 100644
--- a/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml
+++ b/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml
@@ -9,8 +9,10 @@ status: experimental
 description: Detects potential COM object hijacking via modification of default system CLSID.
 references:
     - https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea)
+    - https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2024-07-16
+modified: 2024-10-01
 tags:
     - attack.persistence
     - attack.t1546.015
@@ -18,12 +20,12 @@ logsource:
     category: registry_set
     product: windows
 detection:
-    selection_target:
+    selection_target_root:
         TargetObject|contains: '\CLSID\'
         TargetObject|endswith:
             - '\InprocServer32\(Default)'
             - '\LocalServer32\(Default)'
-    selection_builtin_clsid:
+    selection_target_builtin_clsid:
         TargetObject|contains:
             # Note: Add other legitimate CLSID
             - '\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\'
@@ -31,20 +33,36 @@ detection:
             - '\{4590f811-1d3a-11d0-891f-00aa004b2e24}\'
             - '\{4de225bf-cf59-4cfc-85f7-68b90f185355}\'
             - '\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\'
-    selection_locations:
+            - '\{2155fee3-2419-4373-b102-6843707eb41f}\'
+    selection_susp_location_1:
         Details|contains:
             # Note: Add more suspicious paths and locations
-            - '\AppData\Local\Temp\'
+            - ':\Perflogs\'
+            - '\AppData\Local\'
             - '\Desktop\'
             - '\Downloads\'
             - '\Microsoft\Windows\Start Menu\Programs\Startup\'
             - '\System32\spool\drivers\color\' # as seen in the knotweed blog
+            - '\Temporary Internet'
             - '\Users\Public\'
             - '\Windows\Temp\'
             - '%appdata%'
             - '%temp%'
             - '%tmp%'
-    condition: all of selection_*
+    selection_susp_location_2:
+        - Details|contains|all:
+              - ':\Users\'
+              - '\Favorites\'
+        - Details|contains|all:
+              - ':\Users\'
+              - '\Favourites\'
+        - Details|contains|all:
+              - ':\Users\'
+              - '\Contacts\'
+        - Details|contains|all:
+              - ':\Users\'
+              - '\Pictures\'
+    condition: all of selection_target_* and 1 of selection_susp_location_*
 falsepositives:
     - Unlikely
 level: high