Detectionmediumtest
Removal of Potential COM Hijacking Registry Keys
Detects any deletion of entries in ".*\shell\open\command" registry keys. These registry keys might have been used for COM hijacking activities by a threat actor or an attacker and the deletion could indicate steps to remove its tracks.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)Created Sat May 02Updated Tue Oct 0796f697b0-b499-4e5d-9908-a67bec11cdb6windows
Log Source
WindowsRegistry Delete
ProductWindows← raw: windows
CategoryRegistry Delete← raw: registry_delete
Detection Logic
Detection Logic20 selectors
detection:
selection:
TargetObject|endswith: '\shell\open\command'
filter_main_explorer:
Image|endswith: 'C:\Windows\explorer.exe'
filter_main_svchost:
Image: 'C:\Windows\system32\svchost.exe'
filter_main_msiexec:
Image:
- 'C:\Windows\System32\msiexec.exe'
- 'C:\Windows\SysWOW64\msiexec.exe'
filter_main_generic_prorams:
Image|startswith:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
filter_main_openwith:
Image: 'C:\Windows\System32\OpenWith.exe'
filter_optional_dropbox:
Image|endswith: '\Dropbox.exe'
# We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT)
TargetObject|contains: '\Dropbox.'
filter_optional_wireshark:
Image|endswith: '\AppData\Local\Temp\Wireshark_uninstaller.exe'
# We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT)
TargetObject|contains: '\wireshark-capture-file\'
filter_optional_peazip:
Image|contains: 'peazip'
# We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT)
TargetObject|contains: '\PeaZip.'
filter_optional_everything:
Image|endswith: '\Everything.exe'
# We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT)
TargetObject|contains: '\Everything.'
filter_optional_uninstallers:
# This image path is linked with different uninstallers when running as admin unfortunately
Image|startswith: 'C:\Windows\Installer\MSI'
filter_optional_java:
Image|startswith: 'C:\Program Files (x86)\Java\'
Image|endswith: '\installer.exe'
TargetObject|contains: '\Classes\WOW6432Node\CLSID\{4299124F-F2C3-41b4-9C73-9236B2AD0E8F}'
filter_optional_edgeupdate:
Image|contains: '\Microsoft\EdgeUpdate\Install'
filter_optional_avira:
Image:
- 'C:\Program Files (x86)\Avira\Antivirus\'
- 'C:\Program Files\Avira\Antivirus\'
TargetObject|endswith:
- '\CLSID\{305CA226-D286-468e-B848-2B2E8E697B74}\Shell\Open\Command'
- '\AntiVir.Keyfile\shell\open\command'
filter_optional_installer_temp:
- Image|contains|all:
- 'AppData\Local\Temp'
- '\setup.exe'
- Image|contains|all:
- '\Temp\is-'
- '\target.tmp'
filter_optional_ninite:
Image|endswith: '\ninite.exe'
filter_optional_discord:
Image|endswith: '\reg.exe'
TargetObject|endswith: '\Discord\shell\open\command'
filter_optional_spotify:
Image|endswith: '\Spotify.exe'
TargetObject|endswith: '\Spotify\shell\open\command'
filter_optional_eclipse:
Image|endswith: 'C:\eclipse\eclipse.exe'
TargetObject|contains: '_Classes\eclipse+'
filter_optional_teamviewer:
Image|contains|all:
- '\Temp'
- '\TeamViewer'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*False Positives
Legitimate software (un)installations are known to cause false positives. Please add them as a filter when encountered
MITRE ATT&CK
Techniques
Rule Metadata
Rule ID
96f697b0-b499-4e5d-9908-a67bec11cdb6
Status
test
Level
medium
Type
Detection
Created
Sat May 02
Modified
Tue Oct 07
Path
rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml
Raw Tags
attack.persistenceattack.defense-evasionattack.t1112