legitimate software (un)installations are known to cause false positives. please add them as a filter when encountered

Techniques

t1112

Sample rules

Removal of Potential COM Hijacking Registry Keys

source: sigma
technicques:
- t1112

Description

Detects any deletion of entries in “.*\shell\open\command” registry keys. These registry keys might have been used for COM hijacking activities by a threat actor or an attacker and the deletion could indicate steps to remove its tracks.

Detection logic

condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_explorer:
  Image|endswith: C:\Windows\explorer.exe
filter_main_generic_prorams:
  Image|startswith:
  - C:\Program Files\
  - C:\Program Files (x86)\
filter_main_msiexec:
  Image:
  - C:\Windows\System32\msiexec.exe
  - C:\Windows\SysWOW64\msiexec.exe
filter_main_openwith:
  Image: C:\Windows\System32\OpenWith.exe
filter_main_svchost:
  Image: C:\Windows\system32\svchost.exe
filter_optional_avira:
  Image:
  - C:\Program Files (x86)\Avira\Antivirus\
  - C:\Program Files\Avira\Antivirus\
  TargetObject|endswith:
  - \CLSID\{305CA226-D286-468e-B848-2B2E8E697B74}\Shell\Open\Command
  - \AntiVir.Keyfile\shell\open\command
filter_optional_discord:
  Image|endswith: \reg.exe
  TargetObject|endswith: \Discord\shell\open\command
filter_optional_dropbox:
  Image|endswith: \Dropbox.exe
  TargetObject|contains: \Dropbox.
filter_optional_eclipse:
  Image|endswith: C:\eclipse\eclipse.exe
  TargetObject|contains: _Classes\eclipse+
filter_optional_edgeupdate:
  Image|contains: \Microsoft\EdgeUpdate\Install
filter_optional_everything:
  Image|endswith: \Everything.exe
  TargetObject|contains: \Everything.
filter_optional_installer_temp:
- Image|contains|all:
  - AppData\Local\Temp
  - \setup.exe
- Image|contains|all:
  - \Temp\is-
  - \target.tmp
filter_optional_java:
  Image|endswith: \installer.exe
  Image|startswith: C:\Program Files (x86)\Java\
  TargetObject|contains: \Classes\WOW6432Node\CLSID\{4299124F-F2C3-41b4-9C73-9236B2AD0E8F}
filter_optional_ninite:
  Image|endswith: \ninite.exe
filter_optional_peazip:
  Image|contains: peazip
  TargetObject|contains: \PeaZip.
filter_optional_spotify:
  Image|endswith: \Spotify.exe
  TargetObject|endswith: \Spotify\shell\open\command
filter_optional_teamviewer:
  Image|contains|all:
  - \Temp
  - \TeamViewer
filter_optional_uninstallers:
  Image|startswith: C:\Windows\Installer\MSI
filter_optional_wireshark:
  Image|endswith: \AppData\Local\Temp\Wireshark_uninstaller.exe
  TargetObject|contains: \wireshark-capture-file\
selection:
  TargetObject|endswith: \shell\open\command