Potential COM Object Hijacking Via TreatAs Subkey - Registry

Oct 23, 2025 · attack.privilege-escalation attack.persistence attack.t1546.015 ·

Detects COM object hijacking via TreatAs subkey

Sigma rule (View on GitHub)

 1title: Potential COM Object Hijacking Via TreatAs Subkey - Registry
 2id: 9b0f8a61-91b2-464f-aceb-0527e0a45020
 3status: test
 4description: Detects COM object hijacking via TreatAs subkey
 5references:
 6    - https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
 7author: Kutepov Anton, oscd.community
 8date: 2019-10-23
 9modified: 2023-02-07
10tags:
11    - attack.privilege-escalation
12    - attack.persistence
13    - attack.t1546.015
14logsource:
15    category: registry_add
16    product: windows
17detection:
18    selection:
19        EventType: 'CreateKey'  # Don't want DeleteKey events
20        TargetObject|contains|all:
21            - 'HKU\'
22            - 'Classes\CLSID\'
23            - '\TreatAs'
24    filter_svchost:
25        # Example of target object by svchost
26        # TargetObject: HKU\S-1-5-21-1098798288-3663759343-897484398-1001_Classes\CLSID\{0003000A-0000-0000-C000-000000000046}\TreatAs
27        Image: 'C:\WINDOWS\system32\svchost.exe'
28    condition: selection and not 1 of filter_*
29falsepositives:
30    - Maybe some system utilities in rare cases use linking keys for backward compatibility
31level: medium

References

Abusing the COM Registry Structure (Part 2): Hijacking & Loading Techniques

TL;DR There are several ways that attackers can leverage COM hijacking to influence evasive loading and hidden persistence. A few examples include CLSID (sub)key abandonment referencing, key …

Read More

Potential COM Object Hijacking Via TreatAs Subkey - Registry

Sigma rule (View on GitHub)

References

Abusing the COM Registry Structure (Part 2): Hijacking &amp; Loading&nbsp;Techniques

Related rules

Abusing the COM Registry Structure (Part 2): Hijacking & Loading Techniques