LoFP LoFP / some installed utilities (i.e. onedrive) may serve new com objects at user-level

Techniques

Sample rules

Potential Persistence Via COM Search Order Hijacking

Description

Detects potential COM object hijacking leveraging the COM Search Order

Detection logic

condition: selection and not 1 of filter_main_*
filter_main_bonjourlib:
  Details|endswith:
  - :\Windows\system32\dnssdX.dll
  - :\Windows\SysWOW64\dnssdX.dll
filter_main_defender:
  Image|contains:
  - :\ProgramData\Microsoft\Windows Defender\Platform\
  - :\Program Files\Windows Defender\
  Image|endswith: \MsMpEng.exe
filter_main_dropbox:
  Details|contains|all:
  - \AppData\Roaming\Dropbox\
  - \DropboxExt64.*.dll
filter_main_dx:
  Image|endswith: :\WINDOWS\SYSTEM32\dxdiag.exe
filter_main_edge:
  Image|endswith: \MicrosoftEdgeUpdateComRegisterShell64.exe
filter_main_gameservice:
  Details|contains: :\WINDOWS\system32\GamingServicesProxy.dll
filter_main_generic:
  Details|contains:
  - '%%systemroot%%\system32\'
  - '%%systemroot%%\SysWow64\'
filter_main_health_service:
  Image|endswith: :\WINDOWS\system32\SecurityHealthService.exe
filter_main_inprocserver:
  Image|endswith:
  - :\Windows\System32\poqexec.exe
  - :\Windows\System32\regsvr32.exe
  TargetObject|endswith: \InProcServer32\(Default)
filter_main_nvidia:
  Details|contains: \FileRepository\nvmdi.inf
filter_main_onedrive:
  Details|contains:
  - \AppData\Local\Microsoft\OneDrive\
  - \FileCoAuthLib64.dll
  - \FileSyncShell64.dll
  - \FileSyncApi64.dll
filter_main_poqexec:
  Details|contains: :\Windows\System32\Autopilot.dll
  Image|endswith: :\Windows\System32\poqexec.exe
filter_main_printextensionmanager:
  Details|endswith: :\Windows\system32\spool\drivers\x64\3\PrintConfig.dll
filter_main_programdata:
  Details|contains: :\ProgramData\Microsoft\
filter_main_programfiles:
  Details|contains:
  - :\Program Files\
  - :\Program Files (x86)\
filter_main_python:
  Details|endswith:
  - :\Windows\pyshellext.amd64.dll
  - :\Windows\pyshellext.dll
filter_main_sec_health_svc:
  Details|contains: :\Windows\System32\SecurityHealth
  Image|endswith: :\Windows\system32\SecurityHealthService.exe
filter_main_teams:
  Details|contains|all:
  - \AppData\Local\Microsoft\TeamsMeetingAddin\
  - \Microsoft.Teams.AddinLoader.dll
filter_main_trend_micro:
  Details|endswith: TmopIEPlg.dll
filter_main_update:
  Image|endswith:
  - :\WINDOWS\system32\wuauclt.exe
  - :\WINDOWS\system32\svchost.exe
selection:
  TargetObject|contains: \CLSID\
  TargetObject|endswith: \InprocServer32\(Default)