T1546.015 IBM QRadar · QRadar

Detect Component Object Model Hijacking in IBM QRadar

Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. COM is a system within Windows to enable interaction between software components through the operating system. References to various COM objects are stored in the Registry. Adversaries can use the COM system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Windows Registry to replace a reference to a legitimate system component which may cause the execution of the adversary's code instead of the intended COM component.

MITRE ATT&CK

Tactic
Privilege Escalation Persistence
Technique
T1546 Event Triggered Execution
Sub-technique
T1546.015 Component Object Model Hijacking
Canonical reference
https://attack.mitre.org/techniques/T1546/015/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  "TargetObject" AS registry_key,
  "Details" AS registry_value_data,
  "Image" AS initiating_process,
  CASE
    WHEN LOWER("Details") MATCHES '.*?(appdata|\\\\temp\\\\|programdata|users\\\\public|powershell|cmd\.exe|wscript|cscript|mshta|rundll32|regsvr32).*?' THEN 'COM_SUSPICIOUS_PAYLOAD'
    WHEN "TargetObject" MATCHES '.*?(HKU\\\\|HKCU\\\\|Software\\\\Classes\\\\CLSID).*?' AND NOT (LOWER("Details") MATCHES '.*?(windows\\\\system32|syswow64|program files).*?') THEN 'COM_HKCU_NON_SYSTEM'
    WHEN "TargetObject" MATCHES '.*?(HKU\\\\|HKCU\\\\).*?' THEN 'COM_HKCU_OVERRIDE'
    ELSE 'COM_HKLM_MODIFICATION'
  END AS detection_type,
  REGEXP_EXTRACT("TargetObject", 'CLSID\\\\(\\{[0-9A-Fa-f\\-]+\\})') AS clsid_guid
FROM events
WHERE
  LOGSOURCETYPEID = 12 /* Microsoft Windows Security Event Log */
  AND QIDNAME(qid) IN ('Registry Value Set', 'Registry Object Added or Deleted', 'Sysmon - Registry value set', 'Sysmon - Registry object added or deleted')
  AND (
    ("EventID" IN ('12', '13') AND
     "TargetObject" MATCHES '.*?Classes\\\\CLSID\\\\.*?(InprocServer32|LocalServer32|InprocServer|LocalServer|TreatAs|ProgID).*?')
  )
  AND (
    LOWER("Details") MATCHES '.*?(appdata|\\\\temp\\\\|programdata|users\\\\public|powershell|cmd\.exe|wscript|cscript|mshta|rundll32|regsvr32).*?'
    OR (
      "TargetObject" MATCHES '.*?(HKU\\\\|HKCU\\\\|Software\\\\Classes\\\\CLSID).*?'
      AND NOT LOWER("Details") MATCHES '.*?(windows\\\\system32|syswow64|program files).*?'
    )
  )
  AND LAST 1 DAYS
ORDER BY devicetime DESC
high severity medium confidence

QRadar AQL detection for COM hijacking via registry modifications targeting CLSID server keys. Correlates Sysmon EventID 12/13 (registry events) against suspicious payload patterns and HKCU overrides pointing outside system directories, with detection type classification.

Data Sources

Microsoft Windows Sysmon (EventID 12, 13)Windows Security Event Log

Required Tables

events

False Positives & Tuning

  • Enterprise software deployment tools (SCCM, Intune) registering COM components for managed applications in user profiles
  • Legitimate per-user COM server registration by productivity software (Microsoft Office, Adobe) during first-run setup
  • Security tools or EDR agents that register monitoring hooks via COM interfaces in non-standard paths
Download portable Sigma rule (.yml)

Other platforms for T1546.015

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1COM Hijack via HKCU InprocServer32

    Expected signal: Sysmon Event ID 13: TargetObject=HKCU\SOFTWARE\Classes\CLSID\{BCDE0395-E52F-467C-8E3D-C4579291692E}\InprocServer32, Details=AppData path. IsHkcuOverride=true, IsNotSystemPath=true. Process creation for reg.exe.

  2. Test 2COM Hijack Targeting Explorer Shell Extension CLSID

    Expected signal: Sysmon Event ID 13 for HKCU CLSID registration with Temp directory DLL path. The Temp path is the high-risk indicator.

  3. Test 3Enumerate COM Hijacking Opportunities

    Expected signal: Process creation for powershell.exe with registry enumeration command. Read-only registry access to HKLM and HKCU CLSID trees. Output reveals count of potential hijacking candidates.

Last updated: 2026-04-20 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1546.015 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1546Event Triggered Execution

Related Sub-techniques

T1546.001Change Default File AssociationT1546.002ScreensaverT1546.003Windows Management Instrumentation Event SubscriptionT1546.004Unix Shell Configuration ModificationT1546.005TrapT1546.006LC_LOAD_DYLIB AdditionT1546.007Netsh Helper DLLT1546.008Accessibility FeaturesT1546.009AppCert DLLsT1546.010AppInit DLLsT1546.011Application ShimmingT1546.012Image File Execution Options InjectionT1546.013PowerShell ProfileT1546.014EmondT1546.016Installer PackagesT1546.017Udev RulesT1546.018Python Startup Hooks

Related Techniques

T1546Event Triggered ExecutionT1574.001DLLT1574.002DLL Side-LoadingT1546.001Change Default File AssociationT1218.010Regsvr32T1055Process Injection

Same Tactic: Privilege Escalation

Popular Detections