Detectionhightest

COM Hijack via Sdclt

Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Omkar GudhateCreated Sun Sep 27Updated Thu Sep 2807743f65-7ec9-404a-a519-913db7118a8dwindows

Log Source

WindowsRegistry Set

ProductWindows← raw: windows

CategoryRegistry Set← raw: registry_set

Detection Logic

detection:
    selection:
        TargetObject|contains: '\Software\Classes\Folder\shell\open\command\DelegateExecute'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

Techniques

Rule Metadata

Rule ID

07743f65-7ec9-404a-a519-913db7118a8d

Status

test

Level

high

Type

Detection

Created

Sun Sep 27

Modified

Thu Sep 28

Author

Path

rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml

Raw Tags

attack.persistenceattack.defense-evasionattack.privilege-escalationattack.t1546attack.t1548