COM Hijacking via TreatAs

Detect modification of TreatAs key to enable "rundll32.exe -sta" command

Sigma rule (View on GitHub)

 1title: COM Hijacking via TreatAs
 2id: dc5c24af-6995-49b2-86eb-a9ff62199e82
 3status: test
 4description: Detect modification of TreatAs key to enable "rundll32.exe -sta" command
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md
 7    - https://www.youtube.com/watch?v=3gz1QmiMhss&t=1251s
 8author: frack113
 9date: 2022/08/28
10modified: 2023/08/17
11tags:
12    - attack.persistence
13    - attack.t1546.015
14logsource:
15    category: registry_set
16    product: windows
17detection:
18    selection:
19        TargetObject|endswith: 'TreatAs\(Default)'
20    filter_office:
21        Image|startswith: 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
22        Image|endswith: '\OfficeClickToRun.exe'
23    filter_office2:
24        Image: 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
25    filter_svchost:
26        # Example of target object by svchost
27        # TargetObject: HKLM\SOFTWARE\Microsoft\MsixRegistryCompatibility\Package\Microsoft.Paint_11.2208.6.0_x64__8wekyb3d8bbwe\User\SOFTWARE\Classes\CLSID\{0003000A-0000-0000-C000-000000000046}\TreatAs\(Default)
28        # TargetObject: HKU\S-1-5-21-1000000000-000000000-000000000-0000_Classes\CLSID\{0003000A-0000-0000-C000-000000000046}\TreatAs\(Default)
29        Image: 'C:\Windows\system32\svchost.exe'
30    filter_misexec:
31        # This FP has been seen during installation/updates
32        Image:
33            - 'C:\Windows\system32\msiexec.exe'
34            - 'C:\Windows\SysWOW64\msiexec.exe'
35    condition: selection and not 1 of filter_*
36falsepositives:
37    - Legitimate use
38level: medium

References

Related rules

to-top