Component Object Model (COM) Hijacking via Registry Modification
This rule detects Component Object Model (COM) hijacking via registry modification, where adversaries establish persistence by executing malicious content triggered by hijacked references to COM objects.
Component Object Model (COM) hijacking is a persistence and privilege escalation technique where adversaries modify COM registry entries to point to malicious code. This allows attackers to execute arbitrary code in place of legitimate software components. The Elastic rule "Component Object Model Hijacking," updated on March 19, 2026, detects this activity by monitoring registry modifications related to COM objects. The rule specifically looks for changes in InprocServer32, LocalServer32, DelegateExecute, TreatAs, ScriptletURL*, and TypeLib*\\Win* registry keys, commonly targeted in COM hijacking attacks. This technique is effective because the operating system relies on these COM objects, and hijacking them can lead to stealthy and persistent malicious execution. Defenders need to monitor for unexpected changes to these registry keys to detect and prevent COM hijacking attempts.
Attack Chain
- The adversary gains initial access to the system through unspecified means (e.g., exploitation, social engineering).
- The attacker identifies a vulnerable COM object to hijack by enumerating available COM objects and their registry settings.
- The adversary modifies the registry, specifically targeting
HKLMorHKCUorHKUInprocServer32subkeys, to redirect COM object calls to a malicious DLL or executable. - The modified registry entry points to a malicious DLL or executable located in a directory like
C:\Users\<username>\AppData\Local\Temp\. - A legitimate application or system process attempts to instantiate the hijacked COM object.
- Instead of the intended component, the malicious DLL or executable is loaded and executed.
- The malicious code performs actions such as installing malware, establishing persistence, or escalating privileges.
- The adversary achieves persistence by ensuring the malicious code is executed every time the hijacked COM object is called.
Impact
Successful COM hijacking allows attackers to maintain persistent access to a compromised system, often with elevated privileges. This can lead to the installation of backdoors, data theft, or further compromise of the network. The number of potential victims is vast, as many Windows systems rely heavily on COM objects for various functionalities. The sectors most affected are those that depend on Windows-based systems, including enterprise environments, government agencies, and critical infrastructure.
Recommendation
- Deploy the Sigma rule "Suspicious COM Hijack Registry Modification" to your SIEM and tune for your environment to detect suspicious changes to COM-related registry keys.
- Enable Sysmon registry event logging to capture the necessary events for the Sigma rule to function effectively.
- Investigate any alerts generated by the Sigma rule by examining the process execution chain and the legitimacy of the modified registry entries.
- Implement regular scans for unexpected files in user directories like
AppData\Local\Tempas part of a broader malware hunting strategy. - Use the references provided to understand the COM registry structure to create more detections and better investigate potential compromises.
Detection coverage 2
Suspicious COM Hijack Registry Modification
mediumDetects suspicious modifications to COM-related registry keys, indicating potential COM hijacking attempts.
Suspicious COM Hijack via ScriptletURL Registry Modification
lowDetects modifications to the ScriptletURL registry key, often used in COM hijacking to load remote scriptlets.
Detection queries are available on the platform. Get full rules →