Added more generic potential HKCU CLSID COM hijacking rule

[grimlockx]

Summary of the Pull Request

The existing COM hijacking rule (registry_set_persistence_com_hijacking_builtin.yml) does not explicitly target a specific registry hive, although its references revolve around hijacking attempts in HKCU only. It only monitors the InprocServer32 and LocalServer32 subkeys and is very strict regarding file paths and registry subkeys.

Attackers frequently abuse HKCU (particularly for user-level persistence) using InprocServer and LocalServer registry keys too. This new rule specifically monitors the HKCU hive for InprocServer, InprocServer32, LocalServer and LocalServer32—and notably does not enforce any file path restrictions. As a result, the only expected false positives would likely occur during the installation of new software.

Changelog

new: Potential HKCU CLSID COM Hijacking - Sysmon

Example Log Event

Fixed Issues

SigmaHQ Rule Creation Conventions

• If your PR adds new rules, please consider following and applying these conventions

[github-actions]

Welcome @grimlockx 👋

It looks like this is your first pull request on the Sigma rules repository!

Please make sure to read the SigmaHQ conventions document to make sure your contribution is adhering to best practices and has all the necessary elements in place for a successful approval.

Thanks again, and welcome to the Sigma community! 😃