Potential PSFactoryBuffer COM Hijacking

Severity: high
Author: BlackBerry Threat Research and Intelligence Team - @Joseliyo_Jstnk
Source: upstream

Detects changes to the PSFactory COM InProcServer32 registry. This technique was used by RomCom to create persistence storing a malicious DLL.

MITRE ATT&CK coverage

Tactic	Techniques
Persistence	`T1546.015` Event Triggered Execution: Component Object Model Hijacking
Privilege Escalation	`T1546.015` Event Triggered Execution: Component Object Model Hijacking

Event coverage

Provider	Event ID	Title
Sysmon	13	RegistryEvent (Value Set)

Stages and Predicates

Stage 1: `selection`

TargetObject|endswith: '\CLSID\{c90250f3-4d7d-4991-9b69-a5c5bc1c2ae6}\InProcServer32\(Default)'

Stage 2: `not filter_main`

Details: ['%windir%\System32\ActXPrxy.dll', 'C:\Windows\System32\ActXPrxy.dll']

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Details`	eq	`%windir%\System32\ActXPrxy.dll` `C:\Windows\System32\ActXPrxy.dll`
`TargetObject`	ends_with	`\CLSID\{c90250f3-4d7d-4991-9b69-a5c5bc1c2ae6}\InProcServer32\(Default)`