security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge PR #5084 from @MalGamy12 - Update COM Object Hijacking Via Modification Of Default System CLSID Default Value

Browse Source 
update: COM Object Hijacking Via Modification Of Default System CLSID Default Value - Add 2 new additional built-in COM object GUID that were seen being used for hijacking
 
---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
This commit is contained in:
Gameel Ali
2024-12-01 14:48:59 +02:00
committed by GitHub
parent 9367349016
commit 995dac17d1
1 changed files with 4 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml
+4 -1
View File
@@ -11,9 +11,10 @@ references:
- https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea)
- https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/
- https://blog.talosintelligence.com/uat-5647-romcom/
- https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/darkhotel-a-cluster-of-groups-united-by-common-techniques
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-07-16
modified: 2024-10-18
modified: 2024-11-19
tags:
- attack.persistence
- attack.t1546.015
@@ -36,6 +37,8 @@ detection:
- '\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\'
- '\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\'
- '\{F82B4EF1-93A9-4DDE-8015-F7950A1A6E31}\'
- '\{7849596a-48ea-486e-8937-a2a3009f31a9}\'
- '\{0b91a74b-ad7c-4a9d-b563-29eef9167172}\'
selection_susp_location_1:
Details|contains:
# Note: Add more suspicious paths and locations