Removal of Potential COM Hijacking Registry Keys
Detects any deletion of entries in ".*\shell\open\command" registry keys. These registry keys might have been used for COM hijacking activities by a threat actor or an attacker and the deletion could indicate steps to remove its tracks.
Sigma rule (View on GitHub)
1title: Removal of Potential COM Hijacking Registry Keys
2id: 96f697b0-b499-4e5d-9908-a67bec11cdb6
3status: test
4description: |
5 Detects any deletion of entries in ".*\shell\open\command" registry keys.
6 These registry keys might have been used for COM hijacking activities by a threat actor or an attacker and the deletion could indicate steps to remove its tracks.
7references:
8 - https://github.com/OTRF/detection-hackathon-apt29/issues/7
9 - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.md
10 - https://learn.microsoft.com/en-us/windows/win32/shell/launch
11 - https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand
12 - https://learn.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code
13author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
14date: 2020-05-02
15modified: 2025-10-07
16tags:
17 - attack.defense-evasion
18 - attack.t1112
19logsource:
20 product: windows
21 category: registry_delete
22detection:
23 selection:
24 TargetObject|endswith: '\shell\open\command'
25 filter_main_explorer:
26 Image|endswith: 'C:\Windows\explorer.exe'
27 filter_main_svchost:
28 Image: 'C:\Windows\system32\svchost.exe'
29 filter_main_msiexec:
30 Image:
31 - 'C:\Windows\System32\msiexec.exe'
32 - 'C:\Windows\SysWOW64\msiexec.exe'
33 filter_main_generic_prorams:
34 Image|startswith:
35 - 'C:\Program Files\'
36 - 'C:\Program Files (x86)\'
37 filter_main_openwith:
38 Image: 'C:\Windows\System32\OpenWith.exe'
39 filter_optional_dropbox:
40 Image|endswith: '\Dropbox.exe'
41 # We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT)
42 TargetObject|contains: '\Dropbox.'
43 filter_optional_wireshark:
44 Image|endswith: '\AppData\Local\Temp\Wireshark_uninstaller.exe'
45 # We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT)
46 TargetObject|contains: '\wireshark-capture-file\'
47 filter_optional_peazip:
48 Image|contains: 'peazip'
49 # We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT)
50 TargetObject|contains: '\PeaZip.'
51 filter_optional_everything:
52 Image|endswith: '\Everything.exe'
53 # We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT)
54 TargetObject|contains: '\Everything.'
55 filter_optional_uninstallers:
56 # This image path is linked with different uninstallers when running as admin unfortunately
57 Image|startswith: 'C:\Windows\Installer\MSI'
58 filter_optional_java:
59 Image|startswith: 'C:\Program Files (x86)\Java\'
60 Image|endswith: '\installer.exe'
61 TargetObject|contains: '\Classes\WOW6432Node\CLSID\{4299124F-F2C3-41b4-9C73-9236B2AD0E8F}'
62 filter_optional_edgeupdate:
63 Image|contains: '\Microsoft\EdgeUpdate\Install'
64 filter_optional_avira:
65 Image:
66 - 'C:\Program Files (x86)\Avira\Antivirus\'
67 - 'C:\Program Files\Avira\Antivirus\'
68 TargetObject|endswith:
69 - '\CLSID\{305CA226-D286-468e-B848-2B2E8E697B74}\Shell\Open\Command'
70 - '\AntiVir.Keyfile\shell\open\command'
71 filter_optional_installer_temp:
72 - Image|contains|all:
73 - 'AppData\Local\Temp'
74 - '\setup.exe'
75 - Image|contains|all:
76 - '\Temp\is-'
77 - '\target.tmp'
78 filter_optional_ninite:
79 Image|endswith: '\ninite.exe'
80 filter_optional_discord:
81 Image|endswith: '\reg.exe'
82 TargetObject|endswith: '\Discord\shell\open\command'
83 filter_optional_spotify:
84 Image|endswith: '\Spotify.exe'
85 TargetObject|endswith: '\Spotify\shell\open\command'
86 filter_optional_eclipse:
87 Image|endswith: 'C:\eclipse\eclipse.exe'
88 TargetObject|contains: '_Classes\eclipse+'
89 filter_optional_teamviewer:
90 Image|contains|all:
91 - '\Temp'
92 - '\TeamViewer'
93 condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
94falsepositives:
95 - Legitimate software (un)installations are known to cause false positives. Please add them as a filter when encountered
96level: medium
References
Related rules
- Service Binary in Suspicious Folder
- Disable Security Events Logging Adding Reg Key MiniNt
- Security Event Logging Disabled via MiniNt Registry Key - Process
- Security Event Logging Disabled via MiniNt Registry Key - Registry Set
- Registry Manipulation via WMI Stdregprov