This note documents detection patterns related to COM Hijacking within Windows environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Sysmon | 13 | Registry value set | Critical | Detects CLSID / InprocServer32 modification. |
| Sysmon | 12 | Registry object create/delete | High | COM key creation or removal. |
| Security | 4657 | Registry value modified | High | Native audit if enabled. |
| Sysmon | 1 | Process creation | Critical | Hijacked COM consumer launching payload. |
| Sysmon | 7 | Image loaded | Critical | Malicious DLL loaded via COM resolution. |
| Security | 4688 | Process creation | High | Parent-child context for triggered COM abuse. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| CLSID points to user path | Temp/AppData DLL | Critical | Strong hijack signal. |
| InprocServer32 changed | DLL path replaced | Critical | Core COM hijack primitive. |
| Trusted binary loads unusual DLL | Explorer / Office / svchost | Critical | High-confidence clue. |
| Per-user COM override | HKCU path present | High | Stealth persistence pattern. |
| DLL unsigned | Non-system module | High | Valuable anomaly. |
| Trigger tied to login/app launch | Delayed execution | High | Common persistence behavior. |
Common Tools
| Tool | Usage |
|---|---|
| reg.exe | CLSID modification |
| PowerShell | Registry COM writes |
| regedit.exe | Manual hijack |
| malware loaders | COM persistence |
Relevant Artifacts
- Sysmon Event IDs 12, 13, 1, 7
- Security Event IDs 4657, 4688
- Registry paths:
HKCU\Software\Classes\CLSID\HKLM\Software\Classes\CLSID\
- Key values:
InprocServer32LocalServer32
- DLL path
- Prefetch for triggering process
- Amcache / ShimCache
MITRE ATT&CK References
- T1546.015 Component Object Model Hijacking
Decision Tree
-
Which CLSID modified?
- HKCU
- HKLM
-
Which DLL path?
- System32
- Temp
- AppData
-
Trigger process?
- Explorer
- Office
- Service host
-
DLL signed?
- Yes
- No
-
Expand:
- Adjacent registry persistence
- DLL timeline
- Trigger frequency
-
Scope:
- Single CLSID
- Multiple hijacks
- Campaign pattern
Example Detection Templates
KQL
Sysmon
| where EventID == 13
| where TargetObject has_any ("CLSID","InprocServer32")
| project TimeGenerated, Computer, TargetObject, Details
Sysmon
| where EventID == 7
| where ImageLoaded !contains "\\Windows\\System32\\"
| project TimeGenerated, Computer, Image, ImageLoaded
EQL
registry where registry.path like "*\\CLSID\\*"
sequence by host.name with maxspan=10m
[ registry where registry.path like "*InprocServer32*" ]
[ library where dll.path != null ]
Sigma
title: COM Hijacking Detection
id: 3d6a5b19-com-hijack
status: experimental
description: Detects suspicious COM registry hijacking
references:
- https://attack.mitre.org/
author: Vergil
date: 2026-03-07
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 13
keywords:
TargetObject|contains:
- 'CLSID'
- 'InprocServer32'
condition: selection and keywords
fields:
- TargetObject
- Details
falsepositives:
- Legitimate COM registration
level: high
tags:
- attack.persistence
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Registry monitoring | Alert on CLSID changes | Critical | Core signal |
| DLL path validation | Flag user-path DLLs | Critical | Strong anomaly |
| Baseline COM overrides | Rare on endpoints | High | Low false positives |
| DLL signing checks | Detect unsigned modules | High | Strong enrichment |
| Central registry telemetry | Preserve key history | High | Essential for DFIR |