LoFP / maybe some system utilities in rare cases use linking keys for backward compatibility

Techniques

Sample rules

Potential COM Object Hijacking Via TreatAs Subkey - Registry

source: sigma
technicques:
- t1546
- t1546.015

Description

Detects COM object hijacking via TreatAs subkey

Detection logic

condition: selection and not 1 of filter_*
filter_svchost:
  Image: C:\WINDOWS\system32\svchost.exe
selection:
  EventType: CreateKey
  TargetObject|contains|all:
  - HKU\
  - Classes\CLSID\
  - \TreatAs