← Back to Explore
sigmamediumHunting
Potential COM Object Hijacking Via TreatAs Subkey - Registry
Detects COM object hijacking via TreatAs subkey
Detection Query
selection:
TargetObject|contains|all:
- HKU\
- Classes\CLSID\
- \TreatAs
filter_main_svchost:
Image: C:\WINDOWS\system32\svchost.exe
condition: selection and not 1 of filter_main_*
Author
Kutepov Anton, oscd.community
Created
2019-10-23
Data Sources
windowsRegistry Set Events
Platforms
windows
Tags
attack.privilege-escalationattack.persistenceattack.t1546.015
Raw Content
title: Potential COM Object Hijacking Via TreatAs Subkey - Registry
id: 9b0f8a61-91b2-464f-aceb-0527e0a45020
status: test
description: Detects COM object hijacking via TreatAs subkey
references:
- https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
author: Kutepov Anton, oscd.community
date: 2019-10-23
modified: 2025-10-26
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.015
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains|all:
- 'HKU\'
- 'Classes\CLSID\'
- '\TreatAs'
filter_main_svchost:
# Example of target object by svchost
# TargetObject: HKU\S-1-5-21-1098798288-3663759343-897484398-1001_Classes\CLSID\{0003000A-0000-0000-C000-000000000046}\TreatAs
Image: 'C:\WINDOWS\system32\svchost.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Maybe some system utilities in rare cases use linking keys for backward compatibility
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_persistence_com_key_linking/info.yml
simulation:
- type: atomic-red-team
name: COM hijacking via TreatAs
technique: T1546.015
atomic_guid: 33eacead-f117-4863-8eb0-5c6304fbfaa9