Skip to content

DET0481 Windows COM Hijacking Detection via Registry and DLL Load Correlation

Item Value
ID DET0481
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1546.015 (Component Object Model Hijacking)

Analytics

Windows

AN1323

Correlate suspicious registry modifications to known COM object CLSIDs with subsequent DLL loads or unexpected binary execution paths. Detect placement of COM CLSID entries under HKEY_CURRENT_USER\Software\Classes\CLSID\ overriding default HKLM paths. Flag anomalous DLL loads traced back to hijacked COM registry changes.

Log Sources
Data Component Name Channel
Windows Registry Key Modification (DC0063) WinEventLog:Security EventCode=4657
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Module Load (DC0016) WinEventLog:Sysmon EventCode=7
Mutable Elements
Field Description
RegistryPathScope Defenders may tune specific monitored CLSIDs depending on known-good application behavior.
BinaryPathAnomalyThreshold May require tuning based on environment to distinguish rare-but-legit COM DLLs vs suspicious ones.
TimeWindow Correlating registry changes to DLL load or process execution may require configurable time window.
UserContextFilter Tuning detection by isolating activity to specific user SIDs or admin-level activity may reduce false positives.