Removal of Potential COM Hijacking Registry Keys
Detects any deletion of entries in ".*\shell\open\command" registry keys. These registry keys might have been used for COM hijacking activities by a threat actor or an attacker and the deletion could indicate steps to remove its tracks.
Sigma rule (View on GitHub)
1title: Removal of Potential COM Hijacking Registry Keys
2id: 96f697b0-b499-4e5d-9908-a67bec11cdb6
3status: test
4description: |
5 Detects any deletion of entries in ".*\shell\open\command" registry keys.
6 These registry keys might have been used for COM hijacking activities by a threat actor or an attacker and the deletion could indicate steps to remove its tracks.
7references:
8 - https://github.com/OTRF/detection-hackathon-apt29/issues/7
9 - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.md
10 - https://learn.microsoft.com/en-us/windows/win32/shell/launch
11 - https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand
12 - https://learn.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code
13author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
14date: 2020-05-02
15modified: 2025-10-07
16tags:
17 - attack.persistence
18 - attack.defense-evasion
19 - attack.t1112
20logsource:
21 product: windows
22 category: registry_delete
23detection:
24 selection:
25 TargetObject|endswith: '\shell\open\command'
26 filter_main_explorer:
27 Image|endswith: 'C:\Windows\explorer.exe'
28 filter_main_svchost:
29 Image: 'C:\Windows\system32\svchost.exe'
30 filter_main_msiexec:
31 Image:
32 - 'C:\Windows\System32\msiexec.exe'
33 - 'C:\Windows\SysWOW64\msiexec.exe'
34 filter_main_generic_prorams:
35 Image|startswith:
36 - 'C:\Program Files\'
37 - 'C:\Program Files (x86)\'
38 filter_main_openwith:
39 Image: 'C:\Windows\System32\OpenWith.exe'
40 filter_optional_dropbox:
41 Image|endswith: '\Dropbox.exe'
42 # We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT)
43 TargetObject|contains: '\Dropbox.'
44 filter_optional_wireshark:
45 Image|endswith: '\AppData\Local\Temp\Wireshark_uninstaller.exe'
46 # We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT)
47 TargetObject|contains: '\wireshark-capture-file\'
48 filter_optional_peazip:
49 Image|contains: 'peazip'
50 # We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT)
51 TargetObject|contains: '\PeaZip.'
52 filter_optional_everything:
53 Image|endswith: '\Everything.exe'
54 # We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT)
55 TargetObject|contains: '\Everything.'
56 filter_optional_uninstallers:
57 # This image path is linked with different uninstallers when running as admin unfortunately
58 Image|startswith: 'C:\Windows\Installer\MSI'
59 filter_optional_java:
60 Image|startswith: 'C:\Program Files (x86)\Java\'
61 Image|endswith: '\installer.exe'
62 TargetObject|contains: '\Classes\WOW6432Node\CLSID\{4299124F-F2C3-41b4-9C73-9236B2AD0E8F}'
63 filter_optional_edgeupdate:
64 Image|contains: '\Microsoft\EdgeUpdate\Install'
65 filter_optional_avira:
66 Image:
67 - 'C:\Program Files (x86)\Avira\Antivirus\'
68 - 'C:\Program Files\Avira\Antivirus\'
69 TargetObject|endswith:
70 - '\CLSID\{305CA226-D286-468e-B848-2B2E8E697B74}\Shell\Open\Command'
71 - '\AntiVir.Keyfile\shell\open\command'
72 filter_optional_installer_temp:
73 - Image|contains|all:
74 - 'AppData\Local\Temp'
75 - '\setup.exe'
76 - Image|contains|all:
77 - '\Temp\is-'
78 - '\target.tmp'
79 filter_optional_ninite:
80 Image|endswith: '\ninite.exe'
81 filter_optional_discord:
82 Image|endswith: '\reg.exe'
83 TargetObject|endswith: '\Discord\shell\open\command'
84 filter_optional_spotify:
85 Image|endswith: '\Spotify.exe'
86 TargetObject|endswith: '\Spotify\shell\open\command'
87 filter_optional_eclipse:
88 Image|endswith: 'C:\eclipse\eclipse.exe'
89 TargetObject|contains: '_Classes\eclipse+'
90 filter_optional_teamviewer:
91 Image|contains|all:
92 - '\Temp'
93 - '\TeamViewer'
94 condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
95falsepositives:
96 - Legitimate software (un)installations are known to cause false positives. Please add them as a filter when encountered
97level: medium
References
-
Description Finally, the attacker removes artifacts of the privilege escalation from the Registry (T1112). [pupy (PowerShell)] > Remove-Item -Path HKCU:\Software\Classes\Folder* -Recurse -Force [pu...
Read More -
A community-driven, open-source project to share detection logic, adversary tradecraft and resources to make detection development more efficient. - OTRF/ThreatHunter-Playbook
Read More -
Once your application has located a file object, the next step is often to act on it in some way.
Read More -
Exposes methods that set a given state or parameter related to the command verb, as well as a method to invoke that verb.
Read More -
Related rules
- Activate Suppression of Windows Security Center Notifications
- Add DisallowRun Execution to Registry
- Allow RDP Remote Assistance Feature
- Blackbyte Ransomware Registry
- Blue Mockingbird