CLSID Override
Query
// Based on https://securelist.com/forumtroll-apt-hacking-team-dante-spyware/117851/
//CVE-2025-2783
DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryKey startswith "HKEY_CURRENT_USER\\" and RegistryKey has "SOFTWARE\\Classes\\CLSID" and RegistryKey endswith "InProcServer32"
| where not(RegistryValueData has_any ("%systemroot%", "C:\\Program Files (x86)\\", "C:\\Program Files\\"))
| where RegistryValueData endswith ".dll"About this query
CLSID override
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|---|---|
| T1574.001 | DLL | https://attack.mitre.org/techniques/T1574/001/ |
| TA0003 | Persistence | https://attack.mitre.org/tactics/TA0003/ |
Description
This rule detects modifications to the HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID{CLSID}\InProcServer32 registry key where the RegistryValueData ends with ".dll" and does not point to common system directories (%systemroot%, C:\Program Files (x86), C:\Program Files). This behavior is indicative of CLSID hijacking, a technique used by adversaries to achieve persistence or privilege escalation by redirecting legitimate COM object calls to a malicious DLL
Author <Optional>
- Name: Benjamin Zulliger
- Github: https://github.com/benscha/KQLAdvancedHunting
- LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/
References
Defender XDR
Explanation
This query is designed to detect potential malicious activity related to CLSID hijacking, a technique used by attackers to maintain persistence or escalate privileges on a system. Here's a simplified breakdown of what the query does:
-
Data Source: It examines events related to changes in the Windows Registry, specifically looking at registry value set actions.
-
Targeted Registry Key: The query focuses on modifications to registry keys under
HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CLSID}\InProcServer32. This is a location where COM object configurations are stored. -
Suspicious Behavior Detection:
- It checks if the registry value data (the path to a DLL) ends with ".dll", indicating a dynamic link library file.
- It ensures that this DLL path does not point to common system directories like
%systemroot%,C:\Program Files (x86)\, orC:\Program Files\. This is because legitimate DLLs are typically stored in these directories, and a path outside of these could indicate a potentially malicious DLL.
-
Purpose: By identifying DLLs that are not in standard system directories, the query aims to catch instances where an attacker might be redirecting legitimate COM object calls to a malicious DLL, a technique known as CLSID hijacking.
Overall, this query helps in identifying suspicious registry modifications that could indicate an attempt by an attacker to achieve persistence or escalate privileges on a system through DLL hijacking.
