COM Hijacking via TreatAs

Severity: medium
Author: frack113
Source: upstream

Detect modification of TreatAs key to enable "rundll32.exe -sta" command

MITRE ATT&CK coverage

Tactic	Techniques
Persistence	`T1546.015` Event Triggered Execution: Component Object Model Hijacking
Privilege Escalation	`T1546.015` Event Triggered Execution: Component Object Model Hijacking

Event coverage

Provider	Event ID	Title
Sysmon	13	RegistryEvent (Value Set)

Stages and Predicates

Stage 1: `selection`

TargetObject|endswith: 'TreatAs\(Default)'

Stage 2: `not 1 of filter_*`

or:
Image|endswith: '\OfficeClickToRun.exe'
Image|startswith: 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
Image: 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
Image: 'C:\Program Files\Microsoft Office\root\integration\integrator.exe'
Image: 'C:\Windows\SysWOW64\msiexec.exe'
Image: 'C:\Windows\system32\msiexec.exe'
Image: 'C:\Windows\system32\svchost.exe'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Image`	ends_with	`\OfficeClickToRun.exe` corpus 10 (sigma 10)
`Image`	eq	`C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe` corpus 6 (sigma 6) `C:\Program Files\Microsoft Office\root\integration\integrator.exe` corpus 6 (sigma 6) `C:\Windows\SysWOW64\msiexec.exe` corpus 4 (sigma 4) `C:\Windows\system32\msiexec.exe` corpus 2 (sigma 2) `C:\Windows\system32\svchost.exe` corpus 5 (sigma 5)
`Image`	starts_with	`C:\Program Files\Common Files\Microsoft Shared\ClickToRun\` corpus 8 (sigma 8)
`TargetObject`	ends_with	`TreatAs\(Default)`