title: Removal of Potential COM Hijacking Registry Keys
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/05/02
description: A General detection to trigger for processes removing .*\shell\open\command
    registry keys. Registry keys that might have been used for COM hijacking activities.
detection:
    SELECTION_1:
        EventID: 12
    SELECTION_2:
        EventID: 13
    SELECTION_3:
        EventID: 14
    SELECTION_4:
        EventType: DeleteKey
    SELECTION_5:
        TargetObject: '*\shell\open\command'
    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4 and SELECTION_5)
falsepositives:
- unknown
id: 96f697b0-b499-4e5d-9908-a67bec11cdb6
level: medium
logsource:
    category: registry_event
    product: windows
references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/7
- https://threathunterplaybook.com/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.html
- https://docs.microsoft.com/en-us/windows/win32/shell/launch
- https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand
- https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code
status: experimental
tags:
- attack.defense_evasion
- attack.t1112
yml_filename: sysmon_removal_com_hijacking_registry_key.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event