T1546.015 Component Object Model Hijacking Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let SuspiciousComPaths = dynamic([
    "AppData", "Temp", "ProgramData", "Users\\Public",
    "powershell", "cmd.exe", "wscript", "cscript", "mshta",
    "rundll32", "regsvr32"
  ]);
DeviceRegistryEvents
| where Timestamp > ago(24h)
| where (
    (RegistryKey has "HKCU\\SOFTWARE\\Classes\\CLSID"
     or RegistryKey has "SOFTWARE\\Classes\\CLSID")
    and RegistryValueName in~ ("InprocServer32", "LocalServer32", "InprocServer", "LocalServer",
                               "TreatAs", "ProgID")
  )
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| extend ClsidGuid = extract(@"CLSID\\(\{[0-9A-Fa-f-]+\})", 1, RegistryKey)
| extend IsHkcuOverride = RegistryKey has "HKCU"
| extend IsSuspiciousPayload = RegistryValueData has_any (SuspiciousComPaths)
| extend IsSystemPath = RegistryValueData has_any (
    "C:\\Windows\\system32\\",
    "C:\\Windows\\SysWOW64\\",
    "C:\\Program Files\\",
    "C:\\Program Files (x86)\\"
  )
| where IsSuspiciousPayload or (IsHkcuOverride and not IsSystemPath)
| project Timestamp, DeviceName, AccountName, ActionType, RegistryKey,
         ClsidGuid, RegistryValueName, RegistryValueData,
         IsHkcuOverride, IsSuspiciousPayload,
         InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc

high severity medium confidence

Data Sources

Windows Registry: Registry Key Modification Microsoft Defender for Endpoint

Required Tables

DeviceRegistryEvents

False Positives

Software installations that register COM servers in HKLM\SOFTWARE\Classes\CLSID with legitimate DLL or EXE paths
ClickOnce and XCOPY application deployments that register COM objects in HKCU for per-user installation
Office add-ins and third-party software plugins that register COM objects in the user hive for per-user functionality
Developer environments and test builds that register experimental or debug COM servers

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security")
| eval IsComHijack=if(
    (EventCode=12 OR EventCode=13)
    AND match(TargetObject, "Classes\\\\CLSID\\\\")
    AND match(TargetObject, "(InprocServer32|LocalServer32|InprocServer|LocalServer|TreatAs)"),
    1, 0
  )
| where IsComHijack=1
| eval IsHKCU=if(match(TargetObject, "(HKU\\\\|HKCU\\\\|Software\\\\Classes\\\\CLSID)"), 1, 0)
| eval IsSuspiciousPath=if(
    match(lower(Details), "(appdata|\\\\temp\\\\|programdata|public|powershell|cmd\.exe|wscript|cscript|mshta|rundll32|regsvr32)"),
    1, 0
  )
| eval IsNotSystemPath=if(
    NOT match(Details, "(?i)(windows\\\\system32|syswow64|program files)"),
    1, 0
  )
| eval ClsidGuid=rex(TargetObject, "CLSID\\\\(?P<ClsidGuid>\\{[0-9A-Fa-f-]+\\})")
| eval DetectionType=case(
    IsSuspiciousPath=1, "COM_SUSPICIOUS_PAYLOAD",
    IsHKCU=1 AND IsNotSystemPath=1, "COM_HKCU_NON_SYSTEM",
    IsHKCU=1, "COM_HKCU_OVERRIDE",
    1=1, "COM_HKLM_MODIFICATION"
  )
| table _time, host, User, EventCode, DetectionType, ClsidGuid, TargetObject, Details, Image
| sort - _time

high severity medium confidence

Data Sources

Windows Registry: Registry Key Modification Sysmon Event ID 12 (RegistryEvent - Object Create/Delete) Sysmon Event ID 13 (RegistryEvent - Value Set)

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Software installations registering COM servers in CLSID
ClickOnce/XCOPY per-user COM registrations in HKCU
Office add-ins and third-party plugins registering COM objects
Developer environments registering experimental COM servers

Elastic Security (EQL)

eql

registry where event.type in ("creation", "change") and
  registry.path : (
    "HKU\\*\\SOFTWARE\\Classes\\CLSID\\*\\InprocServer32",
    "HKU\\*\\SOFTWARE\\Classes\\CLSID\\*\\LocalServer32",
    "HKU\\*\\SOFTWARE\\Classes\\CLSID\\*\\InprocServer",
    "HKU\\*\\SOFTWARE\\Classes\\CLSID\\*\\LocalServer",
    "HKU\\*\\SOFTWARE\\Classes\\CLSID\\*\\TreatAs",
    "HKU\\*\\SOFTWARE\\Classes\\CLSID\\*\\ProgID",
    "HKCU\\SOFTWARE\\Classes\\CLSID\\*\\InprocServer32",
    "HKCU\\SOFTWARE\\Classes\\CLSID\\*\\LocalServer32",
    "HKCU\\SOFTWARE\\Classes\\CLSID\\*\\InprocServer",
    "HKCU\\SOFTWARE\\Classes\\CLSID\\*\\LocalServer",
    "HKCU\\SOFTWARE\\Classes\\CLSID\\*\\TreatAs",
    "HKCU\\SOFTWARE\\Classes\\CLSID\\*\\ProgID",
    "HKLM\\SOFTWARE\\Classes\\CLSID\\*\\InprocServer32",
    "HKLM\\SOFTWARE\\Classes\\CLSID\\*\\LocalServer32"
  ) and
  (
    registry.data.strings : (
      "*AppData*", "*\\Temp\\*", "*ProgramData*", "*Users\\Public*",
      "*powershell*", "*cmd.exe*", "*wscript*", "*cscript*",
      "*mshta*", "*rundll32*", "*regsvr32*"
    ) or
    (
      registry.path : ("HKU\\*\\SOFTWARE\\Classes\\CLSID*", "HKCU\\SOFTWARE\\Classes\\CLSID*") and
      not registry.data.strings : (
        "*C:\\Windows\\system32\\*",
        "*C:\\Windows\\SysWOW64\\*",
        "*C:\\Program Files\\*",
        "*C:\\Program Files (x86)\\*"
      )
    )
  )

high severity high confidence

Data Sources

Windows Registry Endpoint Detection (Sysmon or Elastic Agent)

Required Tables

registry (ECS registry events from Elastic Agent or Winlogbeat)

False Positives

Legitimate software installation that registers COM components in user-space HKCU paths (e.g., per-user Office add-ins or browser extensions)
Developer tools or IDEs that register test COM objects in AppData during development workflows
Automation frameworks like AutoHotkey or scripting tools that legitimately register COM servers pointing to script hosts

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  "TargetObject" AS registry_key,
  "Details" AS registry_value_data,
  "Image" AS initiating_process,
  CASE
    WHEN LOWER("Details") MATCHES '.*?(appdata|\\\\temp\\\\|programdata|users\\\\public|powershell|cmd\.exe|wscript|cscript|mshta|rundll32|regsvr32).*?' THEN 'COM_SUSPICIOUS_PAYLOAD'
    WHEN "TargetObject" MATCHES '.*?(HKU\\\\|HKCU\\\\|Software\\\\Classes\\\\CLSID).*?' AND NOT (LOWER("Details") MATCHES '.*?(windows\\\\system32|syswow64|program files).*?') THEN 'COM_HKCU_NON_SYSTEM'
    WHEN "TargetObject" MATCHES '.*?(HKU\\\\|HKCU\\\\).*?' THEN 'COM_HKCU_OVERRIDE'
    ELSE 'COM_HKLM_MODIFICATION'
  END AS detection_type,
  REGEXP_EXTRACT("TargetObject", 'CLSID\\\\(\\{[0-9A-Fa-f\\-]+\\})') AS clsid_guid
FROM events
WHERE
  LOGSOURCETYPEID = 12 /* Microsoft Windows Security Event Log */
  AND QIDNAME(qid) IN ('Registry Value Set', 'Registry Object Added or Deleted', 'Sysmon - Registry value set', 'Sysmon - Registry object added or deleted')
  AND (
    ("EventID" IN ('12', '13') AND
     "TargetObject" MATCHES '.*?Classes\\\\CLSID\\\\.*?(InprocServer32|LocalServer32|InprocServer|LocalServer|TreatAs|ProgID).*?')
  )
  AND (
    LOWER("Details") MATCHES '.*?(appdata|\\\\temp\\\\|programdata|users\\\\public|powershell|cmd\.exe|wscript|cscript|mshta|rundll32|regsvr32).*?'
    OR (
      "TargetObject" MATCHES '.*?(HKU\\\\|HKCU\\\\|Software\\\\Classes\\\\CLSID).*?'
      AND NOT LOWER("Details") MATCHES '.*?(windows\\\\system32|syswow64|program files).*?'
    )
  )
  AND LAST 1 DAYS
ORDER BY devicetime DESC

high severity medium confidence

Data Sources

Microsoft Windows Sysmon (EventID 12, 13) Windows Security Event Log

Required Tables

events

False Positives

Enterprise software deployment tools (SCCM, Intune) registering COM components for managed applications in user profiles
Legitimate per-user COM server registration by productivity software (Microsoft Office, Adobe) during first-run setup
Security tools or EDR agents that register monitoring hooks via COM interfaces in non-standard paths

Sumo Logic CSE

sql

_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security"
| where EventID in ("12", "13")
| where TargetObject matches /Classes\\CLSID\\/ and TargetObject matches /(InprocServer32|LocalServer32|InprocServer|LocalServer|TreatAs|ProgID)/
| eval is_hkcu = if(TargetObject matches /HKU\\|HKCU\\|Software\\Classes\\CLSID/, 1, 0)
| eval is_suspicious_path = if(
    toLower(Details) matches /(appdata|\\temp\\|programdata|users\\public|powershell|cmd\.exe|wscript|cscript|mshta|rundll32|regsvr32)/,
    1, 0
  )
| eval is_system_path = if(
    toLower(Details) matches /(windows\\system32|syswow64|program files)/,
    1, 0
  )
| where is_suspicious_path = 1 or (is_hkcu = 1 and is_system_path = 0)
| parse regex field=TargetObject "CLSID\\\\(?P<clsid_guid>\{[0-9A-Fa-f\-]+\})" nodrop
| eval detection_type = if(is_suspicious_path = 1, "COM_SUSPICIOUS_PAYLOAD",
    if(is_hkcu = 1 and is_system_path = 0, "COM_HKCU_NON_SYSTEM",
      if(is_hkcu = 1, "COM_HKCU_OVERRIDE", "COM_HKLM_MODIFICATION")))
| fields _messageTime, Computer, User, EventID, detection_type, clsid_guid, TargetObject, Details, Image
| sort by _messageTime desc

high severity high confidence

Data Sources

Windows Sysmon Operational Log (EventID 12, 13) Windows Security Event Log

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=windows/security

False Positives

Software installers that use per-user COM registration (HKCU) to avoid requiring administrator privileges, such as Google Chrome or Firefox update mechanisms
Python or .NET developer environments registering COM interop assemblies in user-accessible paths during SDK setup
Legitimate administrative scripts using regsvr32 or rundll32 to register or re-register COM components after repair operations

Google Chronicle / SecOps

yaral

rule com_object_hijacking_t1546_015 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects COM object hijacking via suspicious CLSID registry key modifications in HKCU or with suspicious payload paths (T1546.015)"
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1546.015"
    severity = "HIGH"
    priority = "HIGH"

  events:
    $e.metadata.event_type = "REGISTRY_MODIFICATION"
    $e.target.registry.registry_key = /(?i)Classes\\CLSID\\\{[0-9A-Fa-f\-]+\}\\(InprocServer32|LocalServer32|InprocServer|LocalServer|TreatAs|ProgID)/
    (
      re.regex($e.target.registry.registry_value_data, `(?i)(appdata|\\temp\\|programdata|users\\public|powershell|cmd\.exe|wscript|cscript|mshta|rundll32|regsvr32)`) or
      (
        re.regex($e.target.registry.registry_key, `(?i)(HKU\\|HKCU\\|Software\\Classes\\CLSID)`) and
        not re.regex($e.target.registry.registry_value_data, `(?i)(windows\\system32|syswow64|program files)`)
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Windows Registry Event logs ingested via Chronicle forwarder or Google Workspace/Defender integration

Required Tables

REGISTRY_MODIFICATION UDM events

False Positives

Enterprise application virtualization solutions (App-V, Citrix) that redirect COM registrations to per-user sandboxed paths
Legitimate click-to-run Office installations that maintain COM registrations in non-standard user-accessible paths
Software development SDKs that register test or mock COM components in Temp or AppData during build/test phases

CrowdStrike LogScale (CQL)

cql

#event_simpleName=RegGenericValueUpdate OR #event_simpleName=RegBinaryValueUpdate OR #event_simpleName=RegStringValueUpdate
| TargetRegistryKey = /(?i)Classes\\CLSID\\\{[0-9A-Fa-f\-]+\}\\(InprocServer32|LocalServer32|InprocServer|LocalServer|TreatAs|ProgID)/
| is_hkcu := TargetRegistryKey = /(?i)(HKU\\|HKCU\\|Software\\Classes\\CLSID)/
| is_suspicious_payload := TargetRegistryValueData = /(?i)(appdata|\\temp\\|programdata|users\\public|powershell|cmd\.exe|wscript|cscript|mshta|rundll32|regsvr32)/
| is_system_path := TargetRegistryValueData = /(?i)(windows\\system32|syswow64|program files)/
| is_hkcu_non_system := if(is_hkcu = true AND is_system_path = false, true, false)
| match(is_suspicious_payload = true OR is_hkcu_non_system = true)
| clsid_guid := regex(TargetRegistryKey, /CLSID\\(\{[0-9A-Fa-f\-]+\})/)
| detection_type := if(is_suspicious_payload = true, "COM_SUSPICIOUS_PAYLOAD",
    if(is_hkcu = true AND is_system_path = false, "COM_HKCU_NON_SYSTEM",
      if(is_hkcu = true, "COM_HKCU_OVERRIDE", "COM_HKLM_MODIFICATION")))
| table([timestamp, ComputerName, UserName, detection_type, clsid_guid, TargetRegistryKey, TargetRegistryValueData, ImageFileName, CommandLine])
| sort(timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon sensor registry write events (RegGenericValueUpdate, RegStringValueUpdate, RegBinaryValueUpdate)

Required Tables

Falcon registry events: RegGenericValueUpdate, RegBinaryValueUpdate, RegStringValueUpdate

False Positives

Legitimate software updates that re-register COM components as part of patching workflows, particularly for Microsoft Office or Visual Studio components
Endpoint management agents (SCCM client, Tanium) that modify COM registrations when deploying or repairing managed applications
Security products that register monitoring or inspection COM hooks in non-standard paths as part of their protection mechanism

Component Object Model Hijacking

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Privilege Escalation

Popular Detections