Threat Actor Unknown origin
Attor
IoCs CSV
1 detection rule
Adversary group targeting diplomatic missions and governmental organisations.
MITRE ATT&CK TTPs 1
Detection Rules
Attor_SIGMA_Detection
sigma ai_generated
title: Suspicious COM Object Instantiation for Remote Access via DCOM
id: 3a7c9a2e-4a5e-4b9d-9a4f-8a86c5b4d1a3
status: experimental
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- 'CoCreateInstance'
- 'IID_IDispatch'
- 'CLSID:'
- 'dcom'
- 'remote'
ParentImage|endswith: '\svchost.exe'
Image|endswith: '\rundll32.exe'
ttp_selection:
CommandLine|contains|all:
- 'CoCreateInstance'
- 'remote'
condition: selection and not ttp_selection
falsepositives:
- Legitimate administrative scripts using DCOM (rare in standard user contexts)
- Software deployment tools leveraging remote COM objects
level: high ⚠ Rules are AI-generated and unvalidated. Test in a safe environment before production use.