Skip to content

Hide Navigation Hide TOC

Potential PSFactoryBuffer COM Hijacking (243380fa-11eb-4141-af92-e14925e77c1b)

Detects changes to the PSFactory COM InProcServer32 registry. This technique was used by RomCom to create persistence storing a malicious DLL.

Cluster A Galaxy A Cluster B Galaxy B Level
Potential PSFactoryBuffer COM Hijacking (243380fa-11eb-4141-af92-e14925e77c1b) Sigma-Rules Component Object Model Hijacking - T1546.015 (bc0f5e80-91c0-4e04-9fbb-e4e332c85dae) Attack Pattern 1
Component Object Model Hijacking - T1546.015 (bc0f5e80-91c0-4e04-9fbb-e4e332c85dae) Attack Pattern Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern 2