Merge PR #5508 by @X-Junior - add CLSIDs to COM Object Hijacking

update : COM Object Hijacking Via Modification Of Default System CLSID Default Value - add CLSIDs
2025-07-01 12:47:23 +03:00
parent ff2c7bf284
commit e597e13d6c
1 changed files with 6 additions and 1 deletions
@@ -14,9 +14,11 @@ references:
    - https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/darkhotel-a-cluster-of-groups-united-by-common-techniques
    - https://threatbook.io/blog/Analysis-of-APT-C-60-Attack-on-South-Korea
    - https://catalyst.prodaft.com/public/report/inside-the-latest-espionage-campaign-of-nebulous-mantis
+    - https://github.com/rtecCyberSec/BitlockMove
+    - https://cert.gov.ua/article/6284080
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2024-07-16
-modified: 2025-05-06
+modified: 2025-07-01
 tags:
    - attack.persistence
    - attack.t1546.015
@@ -43,6 +45,9 @@ detection:
            - '\{0b91a74b-ad7c-4a9d-b563-29eef9167172}\'
            - '\{603D3801-BD81-11d0-A3A5-00C04FD706EC}\'
            - '\{30D49246-D217-465F-B00B-AC9DDD652EB7}\'
+            - '\{A7A63E5C-3877-4840-8727-C1EA9D7A4D50}\'
+            - '\{2227A280-3AEA-1069-A2DE-08002B30309D}\'
+            - '\{2DEA658F-54C1-4227-AF9B-260AB5FC3543}\'
    selection_susp_location_1:
        Details|contains:
            # Note: Add more suspicious paths and locations