title: Component Object Model Hijacking (T1546.015)
id: df00tech-t1546-015
status: experimental
description: "Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. COM is a system within Windows to enable interaction between software components through the operating system. References to various COM objects are stored in the Registry. Adversaries can use the COM system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Windows Registry to replace a reference to a legitimate system component which may cause the execution of the adversary's code instead of the intended COM component."
references:
  - https://attack.mitre.org/techniques/T1546/015/
  - https://df00tech.com/detections/T1546.015
author: df00tech
date: 2026/04/20
tags:
  - attack.t1546.015
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Software installations that register COM servers in HKLM\\SOFTWARE\\Classes\\CLSID with legitimate DLL or EXE paths"
  - ClickOnce and XCOPY application deployments that register COM objects in HKCU for per-user installation
  - Office add-ins and third-party software plugins that register COM objects in the user hive for per-user functionality
  - Developer environments and test builds that register experimental or debug COM servers
level: high