title: Windows Registry Persistence - COM key linking
id: 9b0f8a61-91b2-464f-aceb-0527e0a45020
status: experimental
description: Detects COM object hijacking via TreatAs subkey
references:
    - https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
author: Kutepov Anton, oscd.community
date: 2019/10/23
modified: 2019/11/07
tags:
    - attack.persistence
    - attack.t1122
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 12
        TargetObject|startswith: 'HKU\'
        TargetObject|contains: '_Classes\CLSID\'
        TargetObject|endswith: '\TreatAs'
    condition: selection
falsepositives: 
    - Maybe some system utilities in rare cases use linking keys for backward compability
level: medium