Threat Actor Unknown origin

Attor

IoCs CSV 1 detection rule

Adversary group targeting diplomatic missions and governmental organisations.

MITRE ATT&CK TTPs 1

Detection Rules

Attor_SIGMA_Detection
sigma ai_generated
title: Suspicious COM Object Instantiation for Remote Access via DCOM
id: 3a7c9a2e-4a5e-4b9d-9a4f-8a86c5b4d1a3
status: experimental
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    CommandLine|contains: 
      - 'CoCreateInstance'
      - 'IID_IDispatch'
      - 'CLSID:'
      - 'dcom'
      - 'remote'
    ParentImage|endswith: '\svchost.exe'
    Image|endswith: '\rundll32.exe'
  ttp_selection:
    CommandLine|contains|all:
      - 'CoCreateInstance'
      - 'remote'
  condition: selection and not ttp_selection
falsepositives:
  - Legitimate administrative scripts using DCOM (rare in standard user contexts)
  - Software deployment tools leveraging remote COM objects
level: high

Rules are AI-generated and unvalidated. Test in a safe environment before production use.

Source Articles