Adversaries may establish persistence or escalate privileges by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. This is typically done by replacing COM object registry entries under the HKEY_CURRENT_USER\Software\Classes\CLSID or HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID keys. Accordingly, this analytic looks for any changes under these keys.

ATT&CK Detection

Technique Subtechnique(s) Tactic(s) Level of Coverage
Event Triggered Execution Component Object Model Hijacking Persistence, Privilege Escalation Moderate

Data Model References

Object Action Field
registry add key
registry remove key
registry edit key

Implementations

Pseudocode - COM object registry entry modification (Pseudocode, CAR native)

This is a pseudocode representation of the below splunk search.

registry_keys = search (Registry:Create AND Registry:Remove AND Registry:Edit) 
clsid_keys = filter registry_keys where (
  key = "*\Software\Classes\CLSID\*")
output clsid_keys

Splunk search - COM object registry entry modification (Splunk, Sysmon native)

This Splunk search looks for any registry keys that were created, deleted, or renamed, as well as any registry values that were set or renamed under the Windows COM Object registry key.

index=__your_sysmon_index__ (EventCode=12 OR EventCode=13 OR EventCode=14) TargetObject="*\\Software\\Classes\\CLSID\\*"