From 995dac17d1af1499e7fe0a6786ea78ee6415bfe1 Mon Sep 17 00:00:00 2001 From: Gameel Ali Date: Sun, 1 Dec 2024 14:48:59 +0200 Subject: [PATCH] Merge PR #5084 from @MalGamy12 - Update `COM Object Hijacking Via Modification Of Default System CLSID Default Value` update: COM Object Hijacking Via Modification Of Default System CLSID Default Value - Add 2 new additional built-in COM object GUID that were seen being used for hijacking --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- .../registry_set_persistence_com_hijacking_builtin.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml b/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml index a30291b34..82a4e7413 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml @@ -11,9 +11,10 @@ references: - https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea) - https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/ - https://blog.talosintelligence.com/uat-5647-romcom/ + - https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/darkhotel-a-cluster-of-groups-united-by-common-techniques author: Nasreddine Bencherchali (Nextron Systems) date: 2024-07-16 -modified: 2024-10-18 +modified: 2024-11-19 tags: - attack.persistence - attack.t1546.015 @@ -36,6 +37,8 @@ detection: - '\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\' - '\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\' - '\{F82B4EF1-93A9-4DDE-8015-F7950A1A6E31}\' + - '\{7849596a-48ea-486e-8937-a2a3009f31a9}\' + - '\{0b91a74b-ad7c-4a9d-b563-29eef9167172}\' selection_susp_location_1: Details|contains: # Note: Add more suspicious paths and locations