COM Object Hijacking Via Modification Of Default System CLSID Default Value

Severity: high
Author: Nasreddine Bencherchali (Nextron Systems)
Source: upstream

Detects potential COM object hijacking via modification of default system CLSID.

MITRE ATT&CK coverage

Tactic	Techniques
Persistence	`T1546.015` Event Triggered Execution: Component Object Model Hijacking
Privilege Escalation	`T1546.015` Event Triggered Execution: Component Object Model Hijacking

Event coverage

Provider	Event ID	Title
Sysmon	13	RegistryEvent (Value Set)

Stages and Predicates

Stage 1: `all of selection_target_root`

or:
TargetObject|endswith: '\InprocServer32\(Default)'
TargetObject|endswith: '\LocalServer32\(Default)'
TargetObject|contains: '\CLSID\'

Stage 2: `all of selection_target_builtin_clsid`

or:
TargetObject|contains: '\{0b91a74b-ad7c-4a9d-b563-29eef9167172}\'
TargetObject|contains: '\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\'
TargetObject|contains: '\{2155fee3-2419-4373-b102-6843707eb41f}\'
TargetObject|contains: '\{2227A280-3AEA-1069-A2DE-08002B30309D}\'
TargetObject|contains: '\{2DEA658F-54C1-4227-AF9B-260AB5FC3543}\'
TargetObject|contains: '\{30D49246-D217-465F-B00B-AC9DDD652EB7}\'
TargetObject|contains: '\{4590f811-1d3a-11d0-891f-00aa004b2e24}\'
TargetObject|contains: '\{4de225bf-cf59-4cfc-85f7-68b90f185355}\'
TargetObject|contains: '\{603D3801-BD81-11d0-A3A5-00C04FD706EC}\'
TargetObject|contains: '\{7849596a-48ea-486e-8937-a2a3009f31a9}\'
TargetObject|contains: '\{A7A63E5C-3877-4840-8727-C1EA9D7A4D50}\'
TargetObject|contains: '\{AA509086-5Ca9-4C25-8F95-589D3C07B48A}\'
TargetObject|contains: '\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\'
TargetObject|contains: '\{F82B4EF1-93A9-4DDE-8015-F7950A1A6E31}\'
TargetObject|contains: '\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\'

Stage 3: `1 of selection_susp_location_1`

or:
Details|contains: '%appdata%'
Details|contains: '%temp%'
Details|contains: '%tmp%'
Details|contains: ':\Perflogs\'
Details|contains: '\AppData\Local\'
Details|contains: '\Desktop\'
Details|contains: '\Downloads\'
Details|contains: '\Microsoft\Windows\Start Menu\Programs\Startup\'
Details|contains: '\System32\spool\drivers\color\'
Details|contains: '\Temporary Internet'
Details|contains: '\Users\Public\'
Details|contains: '\Windows\Temp\'

Stage 4: `1 of selection_susp_location_2`

or:
Details|contains: ':\Users\'
Details|contains: '\Contacts\'
Details|contains: ':\Users\'
Details|contains: '\Favorites\'
Details|contains: ':\Users\'
Details|contains: '\Favourites\'
Details|contains: ':\Users\'
Details|contains: '\Pictures\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Details`	match	`%appdata%` `%temp%` corpus 3 (sigma 3) `%tmp%` corpus 4 (sigma 4) `:\Perflogs\` corpus 3 (sigma 3) `:\Users\` corpus 4 (sigma 4) `\AppData\Local\` `\Contacts\` corpus 4 (sigma 4) `\Desktop\` corpus 3 (sigma 3) `\Downloads\` corpus 2 (sigma 2) `\Favorites\` corpus 3 (sigma 3) `\Favourites\` corpus 3 (sigma 3) `\Microsoft\Windows\Start Menu\Programs\Startup\` corpus 2 (sigma 2) `\Pictures\` corpus 3 (sigma 3) `\System32\spool\drivers\color\` `\Temporary Internet` corpus 3 (sigma 3) `\Users\Public\` corpus 5 (sigma 5) `\Windows\Temp\` corpus 4 (sigma 4)
`TargetObject`	ends_with	`\InprocServer32\(Default)` `\LocalServer32\(Default)`
`TargetObject`	match	`\CLSID\` `\{0b91a74b-ad7c-4a9d-b563-29eef9167172}\` `\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\` `\{2155fee3-2419-4373-b102-6843707eb41f}\` `\{2227A280-3AEA-1069-A2DE-08002B30309D}\` `\{2DEA658F-54C1-4227-AF9B-260AB5FC3543}\` `\{30D49246-D217-465F-B00B-AC9DDD652EB7}\` `\{4590f811-1d3a-11d0-891f-00aa004b2e24}\` `\{4de225bf-cf59-4cfc-85f7-68b90f185355}\` `\{603D3801-BD81-11d0-A3A5-00C04FD706EC}\` `\{7849596a-48ea-486e-8937-a2a3009f31a9}\` `\{A7A63E5C-3877-4840-8727-C1EA9D7A4D50}\` `\{AA509086-5Ca9-4C25-8F95-589D3C07B48A}\` `\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\` `\{F82B4EF1-93A9-4DDE-8015-F7950A1A6E31}\` `\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\`

COM Object Hijacking Via Modification Of Default System CLSID Default Value

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: all of selection_target_root

Stage 2: all of selection_target_builtin_clsid

Stage 3: 1 of selection_susp_location_1

Stage 4: 1 of selection_susp_location_2

Indicators

Stage 1: `all of selection_target_root`

Stage 2: `all of selection_target_builtin_clsid`

Stage 3: `1 of selection_susp_location_1`

Stage 4: `1 of selection_susp_location_2`