From e597e13d6c984bea0a35f2c6ef224a506f9c5813 Mon Sep 17 00:00:00 2001
From: Mohamed Ashraf <47338567+X-Junior@users.noreply.github.com>
Date: Tue, 1 Jul 2025 12:47:23 +0300
Subject: [PATCH] Merge PR #5508 by @X-Junior - add CLSIDs to COM Object
 Hijacking

update : COM Object Hijacking Via Modification Of Default System CLSID Default Value - add CLSIDs
---
 .../registry_set_persistence_com_hijacking_builtin.yml     | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml b/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml
index 896c310da..52115f0fc 100644
--- a/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml
+++ b/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml
@@ -14,9 +14,11 @@ references:
     - https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/darkhotel-a-cluster-of-groups-united-by-common-techniques
     - https://threatbook.io/blog/Analysis-of-APT-C-60-Attack-on-South-Korea
     - https://catalyst.prodaft.com/public/report/inside-the-latest-espionage-campaign-of-nebulous-mantis
+    - https://github.com/rtecCyberSec/BitlockMove
+    - https://cert.gov.ua/article/6284080
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2024-07-16
-modified: 2025-05-06
+modified: 2025-07-01
 tags:
     - attack.persistence
     - attack.t1546.015
@@ -43,6 +45,9 @@ detection:
             - '\{0b91a74b-ad7c-4a9d-b563-29eef9167172}\'
             - '\{603D3801-BD81-11d0-A3A5-00C04FD706EC}\'
             - '\{30D49246-D217-465F-B00B-AC9DDD652EB7}\'
+            - '\{A7A63E5C-3877-4840-8727-C1EA9D7A4D50}\'
+            - '\{2227A280-3AEA-1069-A2DE-08002B30309D}\'
+            - '\{2DEA658F-54C1-4227-AF9B-260AB5FC3543}\'
     selection_susp_location_1:
         Details|contains:
             # Note: Add more suspicious paths and locations