← Back to SOC feed Coverage →

COM Object Hijacking Via Modification Of Default System CLSID Default Value

sigma HIGH SigmaHQ
T1546.015
imRegistry
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-29T11:00:00Z · Confidence: low

Hunt Hypothesis

Detects potential COM object hijacking via modification of default system CLSID.

Detection Rule

Sigma (Original)

title: COM Object Hijacking Via Modification Of Default System CLSID Default Value
id: 790317c0-0a36-4a6a-a105-6e576bf99a14
related:
    - id: 3d968d17-ffa4-4bc0-bfdc-f139de76ce77
      type: obsolete
    - id: a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12
      type: obsolete
status: experimental
description: Detects potential COM object hijacking via modification of default system CLSID.
references:
    - https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea)
    - https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/
    - https://blog.talosintelligence.com/uat-5647-romcom/
    - https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/darkhotel-a-cluster-of-groups-united-by-common-techniques
    - https://threatbook.io/blog/Analysis-of-APT-C-60-Attack-on-South-Korea
    - https://catalyst.prodaft.com/public/report/inside-the-latest-espionage-campaign-of-nebulous-mantis
    - https://github.com/rtecCyberSec/BitlockMove
    - https://cert.gov.ua/article/6284080
    - https://securelist.com/forumtroll-apt-hacking-team-dante-spyware/117851/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-07-16
modified: 2025-11-10
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1546.015
logsource:
    category: registry_set
    product: windows
detection:
    selection_target_root:
        TargetObject|contains: '\CLSID\'
        TargetObject|endswith:
            - '\InprocServer32\(Default)'
            - '\LocalServer32\(Default)'
    selection_target_builtin_clsid:
        TargetObject|contains:
            # Note: Add other legitimate CLSID
            - '\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\'
            - '\{2155fee3-2419-4373-b102-6843707eb41f}\'
            - '\{4590f811-1d3a-11d0-891f-00aa004b2e24}\'
            - '\{4de225bf-cf59-4cfc-85f7-68b90f185355}\'
            - '\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\'
            - '\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\'
            - '\{F82B4EF1-93A9-4DDE-8015-F7950A1A6E31}\'
            - '\{7849596a-48ea-486e-8937-a2a3009f31a9}\'
            - '\{0b91a74b-ad7c-4a9d-b563-29eef9167172}\'
            - '\{603D3801-BD81-11d0-A3A5-00C04FD706EC}\'
            - '\{30D49246-D217-465F-B00B-AC9DDD652EB7}\'
            - '\{A7A63E5C-3877-4840-8727-C1EA9D7A4D50}\'
            - '\{2227A280-3AEA-1069-A2DE-08002B30309D}\'
            - '\{2DEA658F-54C1-4227-AF9B-260AB5FC3543}\'
            - '\{AA509086-5Ca9-4C25-8F95-589D3C07B48A}\'
    selection_susp_location_1:
        Details|contains:
            # Note: Add more suspicious paths and locations
            - ':\Perflogs\'
            - '\AppData\Local\'
            - '\Desktop\'
            - '\Downloads\'
            - '\Microsoft\Windows\Start Menu\Programs\Startup\'
            - '\System32\spool\drivers\color\' # as seen in the knotweed blog
            - '\Temporary Internet'
            - '\Users\Public\'
            - '\Windows\Temp\'
            - '%appdata%'
            - '%temp%'
            - '%tmp%'
    selection_susp_location_2:
        - Details|contains|all:
              - ':\Users\'
              - '\Favorites\'
        - Details|contains|all:
              - ':\Users\'
              - '\Favourites\'
        - Details|contains|all:
              - ':\Users\'
              - '\Contacts\'
        - Details|contains|all:
              - ':\Users\'
              - '\Pictures\'
    condition: all of selection_target_* and 1 of selection_susp_location_*
falsepositives:
    - Unlikely
level: high

KQL (Azure Sentinel)

imRegistry
| where ((RegistryKey endswith "\\CLSID*" and (RegistryKey endswith "\\InprocServer32\\(Default)" or RegistryKey endswith "\\LocalServer32\\(Default)")) and (RegistryKey endswith "\\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}*" or RegistryKey endswith "\\{2155fee3-2419-4373-b102-6843707eb41f}*" or RegistryKey endswith "\\{4590f811-1d3a-11d0-891f-00aa004b2e24}*" or RegistryKey endswith "\\{4de225bf-cf59-4cfc-85f7-68b90f185355}*" or RegistryKey endswith "\\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}*" or RegistryKey endswith "\\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}*" or RegistryKey endswith "\\{F82B4EF1-93A9-4DDE-8015-F7950A1A6E31}*" or RegistryKey endswith "\\{7849596a-48ea-486e-8937-a2a3009f31a9}*" or RegistryKey endswith "\\{0b91a74b-ad7c-4a9d-b563-29eef9167172}*" or RegistryKey endswith "\\{603D3801-BD81-11d0-A3A5-00C04FD706EC}*" or RegistryKey endswith "\\{30D49246-D217-465F-B00B-AC9DDD652EB7}*" or RegistryKey endswith "\\{A7A63E5C-3877-4840-8727-C1EA9D7A4D50}*" or RegistryKey endswith "\\{2227A280-3AEA-1069-A2DE-08002B30309D}*" or RegistryKey endswith "\\{2DEA658F-54C1-4227-AF9B-260AB5FC3543}*" or RegistryKey endswith "\\{AA509086-5Ca9-4C25-8F95-589D3C07B48A}*")) and ((RegistryValueData contains ":\\Perflogs\\" or RegistryValueData contains "\\AppData\\Local\\" or RegistryValueData contains "\\Desktop\\" or RegistryValueData contains "\\Downloads\\" or RegistryValueData contains "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\" or RegistryValueData contains "\\System32\\spool\\drivers\\color\\" or RegistryValueData contains "\\Temporary Internet" or RegistryValueData contains "\\Users\\Public\\" or RegistryValueData contains "\\Windows\\Temp\\" or RegistryValueData contains "%appdata%" or RegistryValueData contains "%temp%" or RegistryValueData contains "%tmp%") or ((RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Favorites\\") or (RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Favourites\\") or (RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Contacts\\") or (RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Pictures\\")))

KQL (Microsoft 365 Defender)

DeviceRegistryEvents
| where ((RegistryKey endswith "\\CLSID*" and (RegistryKey endswith "\\InprocServer32\\(Default)" or RegistryKey endswith "\\LocalServer32\\(Default)")) and (RegistryKey endswith "\\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}*" or RegistryKey endswith "\\{2155fee3-2419-4373-b102-6843707eb41f}*" or RegistryKey endswith "\\{4590f811-1d3a-11d0-891f-00aa004b2e24}*" or RegistryKey endswith "\\{4de225bf-cf59-4cfc-85f7-68b90f185355}*" or RegistryKey endswith "\\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}*" or RegistryKey endswith "\\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}*" or RegistryKey endswith "\\{F82B4EF1-93A9-4DDE-8015-F7950A1A6E31}*" or RegistryKey endswith "\\{7849596a-48ea-486e-8937-a2a3009f31a9}*" or RegistryKey endswith "\\{0b91a74b-ad7c-4a9d-b563-29eef9167172}*" or RegistryKey endswith "\\{603D3801-BD81-11d0-A3A5-00C04FD706EC}*" or RegistryKey endswith "\\{30D49246-D217-465F-B00B-AC9DDD652EB7}*" or RegistryKey endswith "\\{A7A63E5C-3877-4840-8727-C1EA9D7A4D50}*" or RegistryKey endswith "\\{2227A280-3AEA-1069-A2DE-08002B30309D}*" or RegistryKey endswith "\\{2DEA658F-54C1-4227-AF9B-260AB5FC3543}*" or RegistryKey endswith "\\{AA509086-5Ca9-4C25-8F95-589D3C07B48A}*")) and ((RegistryValueData contains ":\\Perflogs\\" or RegistryValueData contains "\\AppData\\Local\\" or RegistryValueData contains "\\Desktop\\" or RegistryValueData contains "\\Downloads\\" or RegistryValueData contains "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\" or RegistryValueData contains "\\System32\\spool\\drivers\\color\\" or RegistryValueData contains "\\Temporary Internet" or RegistryValueData contains "\\Users\\Public\\" or RegistryValueData contains "\\Windows\\Temp\\" or RegistryValueData contains "%appdata%" or RegistryValueData contains "%temp%" or RegistryValueData contains "%tmp%") or ((RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Favorites\\") or (RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Favourites\\") or (RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Contacts\\") or (RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Pictures\\")))

Required Data Sources

Sentinel TableNotes
imRegistryEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml