Query Details

CLSID Override

Query

// Based on https://securelist.com/forumtroll-apt-hacking-team-dante-spyware/117851/
//CVE-2025-2783 
DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryKey startswith "HKEY_CURRENT_USER\\" and RegistryKey has "SOFTWARE\\Classes\\CLSID" and RegistryKey endswith "InProcServer32"
| where not(RegistryValueData has_any ("%systemroot%", "C:\\Program Files (x86)\\", "C:\\Program Files\\"))
| where RegistryValueData endswith ".dll"

About this query

CLSID override

Query Information

MITRE ATT&CK Technique(s)

Description

This rule detects modifications to the HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID{CLSID}\InProcServer32 registry key where the RegistryValueData ends with ".dll" and does not point to common system directories (%systemroot%, C:\Program Files (x86), C:\Program Files). This behavior is indicative of CLSID hijacking, a technique used by adversaries to achieve persistence or privilege escalation by redirecting legitimate COM object calls to a malicious DLL

Author <Optional>

References

Defender XDR

Explanation

This query is designed to detect potential malicious activity related to CLSID hijacking, a technique used by attackers to maintain persistence or escalate privileges on a system. Here's a simplified breakdown of what the query does:

  1. Data Source: It examines events related to changes in the Windows Registry, specifically looking at registry value set actions.

  2. Targeted Registry Key: The query focuses on modifications to registry keys under HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CLSID}\InProcServer32. This is a location where COM object configurations are stored.

  3. Suspicious Behavior Detection:

    • It checks if the registry value data (the path to a DLL) ends with ".dll", indicating a dynamic link library file.
    • It ensures that this DLL path does not point to common system directories like %systemroot%, C:\Program Files (x86)\, or C:\Program Files\. This is because legitimate DLLs are typically stored in these directories, and a path outside of these could indicate a potentially malicious DLL.
  4. Purpose: By identifying DLLs that are not in standard system directories, the query aims to catch instances where an attacker might be redirecting legitimate COM object calls to a malicious DLL, a technique known as CLSID hijacking.

Overall, this query helps in identifying suspicious registry modifications that could indicate an attempt by an attacker to achieve persistence or escalate privileges on a system through DLL hijacking.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: October 27, 2025

Tables

DeviceRegistryEvents

Keywords

DeviceRegistryEvents

Operators

//|where==startswithhasendswithnothas_any

MITRE Techniques

Actions

GitHub