Potential PSFactoryBuffer COM Hijacking (243380fa-11eb-4141-af92-e14925e77c1b)

Detects changes to the PSFactory COM InProcServer32 registry. This technique was used by RomCom to create persistence storing a malicious DLL.

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Potential PSFactoryBuffer COM Hijacking (243380fa-11eb-4141-af92-e14925e77c1b)	Sigma-Rules	Component Object Model Hijacking - T1546.015 (bc0f5e80-91c0-4e04-9fbb-e4e332c85dae)	Attack Pattern	1
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	Component Object Model Hijacking - T1546.015 (bc0f5e80-91c0-4e04-9fbb-e4e332c85dae)	Attack Pattern	2