From a0ebd4f78b427bb184830b93a030c61dd1df51d8 Mon Sep 17 00:00:00 2001 From: Gameel Ali Date: Tue, 19 Nov 2024 10:57:11 +0200 Subject: [PATCH 1/3] Update registry_set_persistence_com_hijacking_builtin.yml --- .../registry_set_persistence_com_hijacking_builtin.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml b/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml index a30291b3400..997cb65f02a 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml @@ -13,7 +13,7 @@ references: - https://blog.talosintelligence.com/uat-5647-romcom/ author: Nasreddine Bencherchali (Nextron Systems) date: 2024-07-16 -modified: 2024-10-18 +modified: 2024-11-19 tags: - attack.persistence - attack.t1546.015 @@ -36,6 +36,7 @@ detection: - '\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\' - '\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\' - '\{F82B4EF1-93A9-4DDE-8015-F7950A1A6E31}\' + - '\{7849596a-48ea-486e-8937-a2a3009f31a9}\' selection_susp_location_1: Details|contains: # Note: Add more suspicious paths and locations From b4580bde6b765493354b0d6ef3b927869547e5aa Mon Sep 17 00:00:00 2001 From: Gameel Ali Date: Tue, 19 Nov 2024 11:09:13 +0200 Subject: [PATCH 2/3] Update registry_set_persistence_com_hijacking_builtin.yml --- .../registry_set_persistence_com_hijacking_builtin.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml b/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml index 997cb65f02a..9258d92eca3 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml @@ -37,6 +37,7 @@ detection: - '\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\' - '\{F82B4EF1-93A9-4DDE-8015-F7950A1A6E31}\' - '\{7849596a-48ea-486e-8937-a2a3009f31a9}\' + - '\{0b91a74b-ad7c-4a9d-b563-29eef9167172}\' selection_susp_location_1: Details|contains: # Note: Add more suspicious paths and locations From ea0ce1400687260b244cc4cc27a6d0427a3fbd39 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 28 Nov 2024 11:46:45 +0100 Subject: [PATCH 3/3] Update registry_set_persistence_com_hijacking_builtin.yml --- .../registry_set_persistence_com_hijacking_builtin.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml b/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml index 9258d92eca3..82a4e741382 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml @@ -11,6 +11,7 @@ references: - https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea) - https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/ - https://blog.talosintelligence.com/uat-5647-romcom/ + - https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/darkhotel-a-cluster-of-groups-united-by-common-techniques author: Nasreddine Bencherchali (Nextron Systems) date: 2024-07-16 modified: 2024-11-19