COM Hijacking via TreatAs

 1title: COM Hijacking via TreatAs
 2id: dc5c24af-6995-49b2-86eb-a9ff62199e82
 3status: test
 4description: Detect modification of TreatAs key to enable "rundll32.exe -sta" command
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md
 7    - https://www.youtube.com/watch?v=3gz1QmiMhss&t=1251s
 8author: frack113
 9date: 2022-08-28
10modified: 2025-07-11
11tags:
12    - attack.persistence
13    - attack.t1546.015
14logsource:
15    category: registry_set
16    product: windows
17detection:
18    selection:
19        TargetObject|endswith: 'TreatAs\(Default)'
20    filter_office:
21        Image|startswith: 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
22        Image|endswith: '\OfficeClickToRun.exe'
23    filter_office2:
24        Image:
25            - 'C:\Program Files\Microsoft Office\root\integration\integrator.exe'
26            - 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
27    filter_svchost:
28        # Example of target object by svchost
29        # TargetObject: HKLM\SOFTWARE\Microsoft\MsixRegistryCompatibility\Package\Microsoft.Paint_11.2208.6.0_x64__8wekyb3d8bbwe\User\SOFTWARE\Classes\CLSID\{0003000A-0000-0000-C000-000000000046}\TreatAs\(Default)
30        # TargetObject: HKU\S-1-5-21-1000000000-000000000-000000000-0000_Classes\CLSID\{0003000A-0000-0000-C000-000000000046}\TreatAs\(Default)
31        Image: 'C:\Windows\system32\svchost.exe'
32    filter_misexec:
33        # This FP has been seen during installation/updates
34        Image:
35            - 'C:\Windows\system32\msiexec.exe'
36            - 'C:\Windows\SysWOW64\msiexec.exe'
37    condition: selection and not 1 of filter_*
38falsepositives:
39    - Legitimate use
40level: medium