Techniques
Sample rules
Removal of Potential COM Hijacking Registry Keys
- source: sigma
- technicques:
- t1112
Description
Detects any deletion of entries in “.*\shell\open\command” registry keys. These registry keys might have been used for COM hijacking activities by a threat actor or an attacker and the deletion could indicate steps to remove its tracks.
Detection logic
condition: selection and not 1 of filter_*
filter_dropbox:
Image|endswith: \Dropbox.exe
TargetObject|contains: \Dropbox.
filter_everything:
Image|endswith: \Everything.exe
TargetObject|contains: \Everything.
filter_integrator:
Image: C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe
filter_java:
Image|endswith: \installer.exe
Image|startswith: C:\Program Files (x86)\Java\
TargetObject|contains: \Classes\WOW6432Node\CLSID\{4299124F-F2C3-41b4-9C73-9236B2AD0E8F}
filter_office:
Image|endswith: \OfficeClickToRun.exe
Image|startswith:
- C:\Program Files\Common Files\Microsoft Shared\ClickToRun\
- C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\
filter_opera:
Image|endswith: \installer.exe
Image|startswith:
- C:\Program Files\Opera\
- C:\Program Files (x86)\Opera\
filter_peazip:
Image|contains: peazip
TargetObject|contains: \PeaZip.
filter_svchost:
Image: C:\Windows\system32\svchost.exe
filter_uninstallers:
Image|startswith: C:\Windows\Installer\MSI
filter_wireshark:
Image|endswith: \AppData\Local\Temp\Wireshark_uninstaller.exe
TargetObject|contains: \wireshark-capture-file\
selection:
EventType: DeleteKey
TargetObject|endswith: \shell\open\command