github-actions[bot]
commented
3 weeks ago Welcome @MsdnUsrSince1994 :wave:
It looks like this is your first issue on the Sigma rules repository!
The following repository accepts issues related to false positives or 'rule ideas'.
If you're reporting an issue related to the pySigma library please consider submitting it here
If you're reporting an issue related to the deprecated sigmac library please consider submitting it here
Thanks for taking the time to open this issue, and welcome to the Sigma community! :smiley:
nasbench
Rule UUID
a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12
Example EventLog
On VirusTotal scanning of any self-registering OCX not on the hardcoded list:
Matches rule Potential Persistence Via COM Search Order Hijacking by Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien at Sigma Integrated Rule Set (GitHub) Detects potential COM object hijacking leveraging the COM Search Order
Description
This rule, as written, considers any file that mentions the COM class registration keys and doesn't mention the Windows directory as potential hijack attempts. Understanding the technology and reading the Wayback archive of the quoted blog post makes it clear that the problem only happens when changing or creating the specific registry keys of COM classes that trusted OS processes happen to look for and load on their own. There is no danger in installing a new application specific COM class and letting it point to the trusted implementation in the relevant vendor install directory.
Furthermore, the Sigma rule may be trivially bypassable by malware making a spurious mention of one of the trusted locations listed in the sigma rule.