Removal of Potential COM Hijacking Registry Keys

Severity: medium
Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
Source: upstream

Detects any deletion of entries in ".*\shell\open\command" registry keys. These registry keys might have been used for COM hijacking activities by a threat actor or an attacker and the deletion could indicate steps to remove its tracks.

MITRE ATT&CK coverage

Tactic	Techniques
Persistence	`T1112` Modify Registry
Defense Evasion	`T1112` Modify Registry

Event coverage

Provider	Event ID	Title
Sysmon	14	RegistryEvent (Key and Value Rename)

Stages and Predicates

Stage 1: `selection`

TargetObject|endswith: '\shell\open\command'

Stage 2: `not 1 of filter_main_*`

or:
Image|endswith: 'C:\Windows\explorer.exe'
Image: 'C:\Windows\SysWOW64\msiexec.exe'
Image: 'C:\Windows\System32\OpenWith.exe'
Image: 'C:\Windows\System32\msiexec.exe'
Image: 'C:\Windows\system32\svchost.exe'
Image|startswith: 'C:\Program Files (x86)\'
Image|startswith: 'C:\Program Files\'

Stage 3: `not 1 of filter_optional_*`

or:
Image: ['C:\Program Files (x86)\Avira\Antivirus\', 'C:\Program Files\Avira\Antivirus\']
or:
TargetObject|endswith: '\AntiVir.Keyfile\shell\open\command'
TargetObject|endswith: '\CLSID\{305CA226-D286-468e-B848-2B2E8E697B74}\Shell\Open\Command'
Image|endswith: 'C:\eclipse\eclipse.exe'
TargetObject|contains: '_Classes\eclipse+'
Image|endswith: '\AppData\Local\Temp\Wireshark_uninstaller.exe'
TargetObject|contains: '\wireshark-capture-file\'
Image|endswith: '\Dropbox.exe'
TargetObject|contains: '\Dropbox.'
Image|endswith: '\Everything.exe'
TargetObject|contains: '\Everything.'
Image|endswith: '\Spotify.exe'
TargetObject|endswith: '\Spotify\shell\open\command'
Image|endswith: '\installer.exe'
Image|startswith: 'C:\Program Files (x86)\Java\'
TargetObject|contains: '\Classes\WOW6432Node\CLSID\{4299124F-F2C3-41b4-9C73-9236B2AD0E8F}'
Image|endswith: '\reg.exe'
TargetObject|endswith: '\Discord\shell\open\command'
Image|contains: 'AppData\Local\Temp'
Image|contains: '\setup.exe'
Image|contains: '\TeamViewer'
Image|contains: '\Temp'
Image|contains: '\Temp\is-'
Image|contains: '\target.tmp'
Image|contains: peazip
TargetObject|contains: '\PeaZip.'
Image|endswith: '\ninite.exe'
Image|contains: '\Microsoft\EdgeUpdate\Install'
Image|startswith: 'C:\Windows\Installer\MSI'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Image`	ends_with	`C:\Windows\explorer.exe` `C:\eclipse\eclipse.exe` `\AppData\Local\Temp\Wireshark_uninstaller.exe` `\Dropbox.exe` corpus 2 (sigma 2) `\Everything.exe` `\Spotify.exe` `\installer.exe` `\ninite.exe` `\reg.exe` corpus 46 (sigma 46)
`Image`	eq	`C:\Program Files (x86)\Avira\Antivirus\` `C:\Program Files\Avira\Antivirus\` `C:\Windows\SysWOW64\msiexec.exe` corpus 4 (sigma 4) `C:\Windows\System32\OpenWith.exe` corpus 2 (sigma 2) `C:\Windows\System32\msiexec.exe` corpus 4 (sigma 4) `C:\Windows\system32\svchost.exe` corpus 5 (sigma 5)
`Image`	match	`AppData\Local\Temp` `\Microsoft\EdgeUpdate\Install` `\TeamViewer` `\Temp` `\Temp\is-` `\setup.exe` corpus 2 (sigma 2) `\target.tmp` `peazip`
`Image`	starts_with	`C:\Program Files (x86)\` corpus 14 (sigma 14) `C:\Program Files (x86)\Java\` `C:\Program Files\` corpus 15 (sigma 15) `C:\Windows\Installer\MSI` corpus 3 (sigma 3)
`TargetObject`	ends_with	`\AntiVir.Keyfile\shell\open\command` `\CLSID\{305CA226-D286-468e-B848-2B2E8E697B74}\Shell\Open\Command` `\Discord\shell\open\command` `\Spotify\shell\open\command` `\shell\open\command`
`TargetObject`	match	`\Classes\WOW6432Node\CLSID\{4299124F-F2C3-41b4-9C73-9236B2AD0E8F}` `\Dropbox.` `\Everything.` `\PeaZip.` `\wireshark-capture-file\` `_Classes\eclipse+`