In addition to these, we also found the following folders being frequently used to hide malicious DLLs:
Detection
In order to detect unusual modifications to registry COM objects, there are a couple of crowdsourced Sigma rules to identify this behavior.
These rules will detect uncommon registry modifications related to COM objects. You can use the following queries to retrieve samples triggered by the previous rules, respectively:
VTI query for sigma1 and
VTI query for sigma2.
You can also identify this behavior using Livehunt rules that target the creation of registry keys utilized for this purpose, for instance with the vt.behaviour.registry_keys_set modifier.
import "vt"
rule CLSID_COM_Hijacking: {
meta:
target_entity = "file"
hash = "a19472bd5dd89a6bd725c94c89469f12cdbfee3b0f19035a07374a005b57b5e0"
author = "@Joseliyo_Jstnk"
mitre_technique = "T1546.015"
mitre_tactic = "TA0003"
condition:
vt.metadata.new_file and vt.metadata.analysis_stats.malicious >= 5 and
for any vt_behaviour_registry_keys_set in vt.behaviour.registry_keys_set: (
vt_behaviour_registry_keys_set.key matches /\\CLSID\\{[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\}\\InProcServer32\\\(Default\)/
)
}
The rule above might generate some noise, so we suggest considering polishing it by excluding certain common families like Berbew, which as mentioned, heavily relies on this technique:
and not
(
for any engine, signature in vt.metadata.signatures : (
signature icontains "berbew"
)
)
You can also use the paths listed in Appendix to identify suspicious samples using them.
A final idea is including interesting existing Sigma rules into our Livehunt. Given that these rules already cover the targeted registry keys, we don’t need to use vt.behaviour.registry_keys_set in our condition.
import "vt"
rule CLSID_COM_Hijacking: {
meta:
target_entity = "file"
hash = "a19472bd5dd89a6bd725c94c89469f12cdbfee3b0f19035a07374a005b57b5e0"
author = "@Joseliyo_Jstnk"
sigma_authors = "Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien"
mitre_technique = "T1546.015"
mitre_tactic = "TA0003"
condition:
vt.metadata.new_file and vt.metadata.analysis_stats.malicious >= 5 and
for any vt_behaviour_sigma_analysis_results in vt.behaviour.sigma_analysis_results: (
vt_behaviour_sigma_analysis_results.rule_id == "7f5d257abc981b5eddb52d4a9a02fb66201226935cf3d39177c8a81c3a3e8dd4"
)
}
Wrapping up
The T1546.015 - Event Triggered Execution: Component Object Model Hijacking is just one of several techniques employed for persistence. Leveraging COM objects for this task is frequently straightforward for threat actors. The analysis of how malware abuses this technique helps us get a better understanding in how to identify different families and develop protection methods. Although the technique is not the most popular for persistence (that would be T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder), it is widely abused by many malware families.
Identifying some of the most abused CLSIDs can help us generate detection rules that identify possible malware abuses in our infrastructure. It can also serve as a good guide for prevalence in order to detect any anomalies for new suspicious activity.
The use of VirusTotal sandbox reports provides a very powerful tool to translate TTPs into actionable queries and monitoring. In this example we used it to better understand how attackers use COM objects, but could be used for any techniques employed by different threat actors.
APPENDIX
Abused CLSIDs
Next, you'll find a list of the main CLSIDs described in the blog, along with a chart to show which ones were used the most.
CLSID
- COM Objects
|
79FAA099-1BAE-816E-D711-115290CEE717
|
EBEB87A6-E151-4054-AB45-A6E094C5334B
|
241D7F03-9232-4024-8373-149860BE27C0
|
C07DB6A3-34FC-4084-BE2E-76BB9203B049
|
79ECA078-17FF-726B-E811-213280E5C831
|
22C6C651-F6EA-46BE-BC83-54E83314C67F
|
F4CBF20B-F634-4095-B64A-2EBCDD9E560E
|
57477331-126E-4FC8-B430-1C6143484AA9
|
C73F6F30-97A0-4AD1-A08F-540D4E9BC7B9
|
89565275-A714-4a43-912E-978B935EDCCC
|
26037A0E-7CBD-4FFF-9C63-56F2D0770214
|
16426152-126E-4FC8-B430-1C6143484AA9
|
33414471-126E-4FC8-B430-1C6143484AA9
|
23716116-126E-4FC8-B430-1C6143484AA9
|
D4D4D7B7-1774-4FE5-ABA8-4CC0B99452B4
|
79FEACFF-FFCE-815E-A900-316290B5B738
|
74A94F46-4FC5-4426-857B-FCE9D9286279
|
Common paths
Below you will find a list with some of the most common paths used during the creation of the COM objects for persistence. The table contains the 'parent' paths as well, while the chart includes only the 'subpaths'.
Common
paths used during COM object persistence
|
C:\Users\<user>\AppData\Roaming
|
C:\Users\<user>\AppData\Roaming\qmacro
|
C:\Users\<user>\AppData\Roaming\mymacro
|
C:\Users\<user>\AppData\Roaming\MacroCommerce
|
C:\Users\<user>\AppData\Roaming\Plugin
|
C:\Users\<user>\AppData\Roaming\Microsoft
|
C:\Windows\SysWow64
|
C:\Program
Files (x86)
|
C:\Program
Files (x86)\Google
|
C:\Program
Files (x86)\Mozilla Firefox
|
C:\Program
Files (x86)\Microsoft
|
C:\Program
Files (x86)\Common Files
|
C:\Program
Files (x86)\Internet Download Manager
|
C:\Users\<user>\AppData\Local
|
C:\Users\<user>\AppData\Local\Temp
|
C:\Users\<user>\AppData\Local\Microsoft
|
C:\Users\<user>\AppData\Local\Google
|
C:\Windows\Temp
|