Techniques
Sample rules
Potential Persistence Via COM Hijacking From Suspicious Locations
- source: sigma
- technicques:
- t1546
- t1546.015
Description
Detects potential COM object hijacking where the “Server” (In/Out) is pointing to a suspicious or unsuale location
Detection logic
condition: selection
selection:
Details|contains:
- \AppData\Local\Temp\
- \Desktop\
- \Downloads\
- \Microsoft\Windows\Start Menu\Programs\Startup\
- \System32\spool\drivers\color\
- \Users\Public\
- \Windows\Temp\
- '%appdata%'
- '%temp%'
- '%tmp%'
TargetObject|contains: \CLSID\
TargetObject|endswith:
- \InprocServer32\(Default)
- \LocalServer32\(Default)