COM Hijack via Sdclt

Apr 28, 2026 · attack.persistence attack.privilege-escalation attack.t1546 attack.t1548 ·

Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'

Sigma rule (View on GitHub)

 1title: COM Hijack via Sdclt
 2id: 07743f65-7ec9-404a-a519-913db7118a8d
 3status: test
 4description: Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'
 5references:
 6    - http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass
 7    - https://www.exploit-db.com/exploits/47696
 8author: Omkar Gudhate
 9date: 2020-09-27
10modified: 2023-09-28
11tags:
12    - attack.persistence
13    - attack.privilege-escalation
14    - attack.t1546
15    - attack.t1548
16logsource:
17    category: registry_set
18    product: windows
19detection:
20    selection:
21        TargetObject|contains: '\Software\Classes\Folder\shell\open\command\DelegateExecute'
22    condition: selection
23falsepositives:
24    - Unknown
25level: high

COM Hijack via Sdclt

Sigma rule (View on GitHub)

References

http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass

https://www.exploit-db.com/exploits/47696

Related rules