Correlate suspicious registry modifications to known COM object CLSIDs with subsequent DLL loads or unexpected binary execution paths. Detect placement of COM CLSID entries under HKEY_CURRENT_USER\Software\Classes\CLSID\ overriding default HKLM paths. Flag anomalous DLL loads traced back to hijacked COM registry changes.
| Data Component | Name | Channel |
|---|---|---|
| Windows Registry Key Modification (DC0063) | WinEventLog:Security | EventCode=4657 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| Field | Description |
|---|---|
| RegistryPathScope | Defenders may tune specific monitored CLSIDs depending on known-good application behavior. |
| BinaryPathAnomalyThreshold | May require tuning based on environment to distinguish rare-but-legit COM DLLs vs suspicious ones. |
| TimeWindow | Correlating registry changes to DLL load or process execution may require configurable time window. |
| UserContextFilter | Tuning detection by isolating activity to specific user SIDs or admin-level activity may reduce false positives. |