Component Object Model Hijackingedit

Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects.

Rule type: eql

Rule indices:

  • winlogbeat-*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100



  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Persistence

Version: 2 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 7.11.2

Rule authors: Elastic

Rule license: Elastic License

Rule queryedit

registry where /* uncomment once length is stable
length(bytes_written_string) > 0 and */ (registry.path :
"HK*}\\InprocServer32\\" and ("scrobj.dll",
"C:\\*\\scrobj.dll") and not registry.path :
"*\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\*") or /* in general
COM Registry changes on Users Hive is less noisy and worth alerting */
(registry.path : ("HKEY_USERS\\*Classes\\*\\InprocXServer32\\",
"HKEY_USERS\\*Classes\\CLSID\\*\\ScriptletURL\\") and /* not
necessary but good for filtering privileged installations */
user.domain != "NT AUTHORITY")

Threat mappingedit


Rule version historyedit

Version 2 (7.11.2 release)
  • Formatting only