COM Hijacking via TreatAs

calendar Oct 23, 2025 · attack.privilege-escalation attack.persistence attack.t1546.015  ·
Share on: linkedin copy

Detect modification of TreatAs key to enable "rundll32.exe -sta" command

Sigma rule (View on GitHub)

 1title: COM Hijacking via TreatAs
 2id: dc5c24af-6995-49b2-86eb-a9ff62199e82
 3status: test
 4description: Detect modification of TreatAs key to enable "rundll32.exe -sta" command
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md
 7    - https://www.youtube.com/watch?v=3gz1QmiMhss&t=1251s
 8author: frack113
 9date: 2022-08-28
10modified: 2025-07-11
11tags:
12    - attack.privilege-escalation
13    - attack.persistence
14    - attack.t1546.015
15logsource:
16    category: registry_set
17    product: windows
18detection:
19    selection:
20        TargetObject|endswith: 'TreatAs\(Default)'
21    filter_office:
22        Image|startswith: 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
23        Image|endswith: '\OfficeClickToRun.exe'
24    filter_office2:
25        Image:
26            - 'C:\Program Files\Microsoft Office\root\integration\integrator.exe'
27            - 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
28    filter_svchost:
29        # Example of target object by svchost
30        # TargetObject: HKLM\SOFTWARE\Microsoft\MsixRegistryCompatibility\Package\Microsoft.Paint_11.2208.6.0_x64__8wekyb3d8bbwe\User\SOFTWARE\Classes\CLSID\{0003000A-0000-0000-C000-000000000046}\TreatAs\(Default)
31        # TargetObject: HKU\S-1-5-21-1000000000-000000000-000000000-0000_Classes\CLSID\{0003000A-0000-0000-C000-000000000046}\TreatAs\(Default)
32        Image: 'C:\Windows\system32\svchost.exe'
33    filter_misexec:
34        # This FP has been seen during installation/updates
35        Image:
36            - 'C:\Windows\system32\msiexec.exe'
37            - 'C:\Windows\SysWOW64\msiexec.exe'
38    condition: selection and not 1 of filter_*
39falsepositives:
40    - Legitimate use
41level: medium

References

Related rules

to-top