Detects changes to the PSFactory COM InProcServer32 registry. This technique was used by RomCom to create persistence storing a malicious DLL.
title: Potential PSFactoryBuffer COM Hijacking
id: 243380fa-11eb-4141-af92-e14925e77c1b
status: test
description: Detects changes to the PSFactory COM InProcServer32 registry. This technique was used by RomCom to create persistence storing a malicious DLL.
references:
- https://blogs.blackberry.com/en/2023/06/romcom-resurfaces-targeting-ukraine
- https://strontic.github.io/xcyclopedia/library/clsid_C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6.html
- https://www.virustotal.com/gui/file/6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d/detection
- https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html
author: BlackBerry Threat Research and Intelligence Team - @Joseliyo_Jstnk
date: 2023-06-07
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.015
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\CLSID\{c90250f3-4d7d-4991-9b69-a5c5bc1c2ae6}\InProcServer32\(Default)'
filter_main:
Details:
- '%windir%\System32\ActXPrxy.dll'
- 'C:\Windows\System32\ActXPrxy.dll'
condition: selection and not filter_main
falsepositives:
- Unknown
level: high
imRegistry
| where RegistryKey endswith "\\CLSID\\{c90250f3-4d7d-4991-9b69-a5c5bc1c2ae6}\\InProcServer32\\(Default)" and (not((RegistryValueData in~ ("%windir%\\System32\\ActXPrxy.dll", "C:\\Windows\\System32\\ActXPrxy.dll"))))DeviceRegistryEvents
| where RegistryKey endswith "\\CLSID\\{c90250f3-4d7d-4991-9b69-a5c5bc1c2ae6}\\InProcServer32\\(Default)" and (not((RegistryValueData in~ ("%windir%\\System32\\ActXPrxy.dll", "C:\\Windows\\System32\\ActXPrxy.dll"))))| Sentinel Table | Notes |
|---|---|
imRegistry | Ensure this data connector is enabled |