From d42ebdc3e62955b596321754426db4c44b2addb1 Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Wed, 4 Feb 2026 13:23:40 +0000
Subject: [PATCH] [Tuning] Component Object Model Hijacking (#5651)

* Update persistence_suspicious_com_hijack_registry.toml

* Update persistence_suspicious_com_hijack_registry.toml
---
 .../windows/persistence_suspicious_com_hijack_registry.toml  | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/rules/windows/persistence_suspicious_com_hijack_registry.toml b/rules/windows/persistence_suspicious_com_hijack_registry.toml
index 927614a43..d995fc89f 100644
--- a/rules/windows/persistence_suspicious_com_hijack_registry.toml
+++ b/rules/windows/persistence_suspicious_com_hijack_registry.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/11/18"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/09/05"
+updated_date = "2026/01/29"
 
 [rule]
 author = ["Elastic"]
@@ -98,7 +98,8 @@ registry where host.os.type == "windows" and event.type == "change" and
         "HKEY_USERS\\*\\LocalServer32\\",
         "HKEY_USERS\\*\\DelegateExecute",
         "HKEY_USERS\\*\\TreatAs\\",
-        "HKEY_USERS\\*\\ScriptletURL*"
+        "HKEY_USERS\\*\\ScriptletURL*", 
+        "HKEY_USERS\\*\\TypeLib*\\Win*"
       ) and
       not registry.data.strings : (
             /* COM related to Windows Spotlight feature */