KQL Search

Query Details

HomeAI ToolsDevice Query

CLSID Override

Query

# *CLSID override*

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1574.001 | DLL | https://attack.mitre.org/techniques/T1574/001/ |
| TA0003 | Persistence | https://attack.mitre.org/tactics/TA0003/ |

#### Description

This rule detects modifications to the HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CLSID}\InProcServer32 registry key where the RegistryValueData ends with ".dll" and does not point to common system directories (%systemroot%, C:\Program Files (x86)\, C:\Program Files\). This behavior is indicative of CLSID hijacking, a technique used by adversaries to achieve persistence or privilege escalation by redirecting legitimate COM object calls to a malicious DLL

#### Author <Optional>
- **Name: Benjamin Zulliger**
- **Github: https://github.com/benscha/KQLAdvancedHunting**
- **LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/**

#### References
- https://securelist.com/forumtroll-apt-hacking-team-dante-spyware/117851/


## Defender XDR
```KQL
// Based on https://securelist.com/forumtroll-apt-hacking-team-dante-spyware/117851/
//CVE-2025-2783 
DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryKey startswith "HKEY_CURRENT_USER\\" and RegistryKey has "SOFTWARE\\Classes\\CLSID" and RegistryKey endswith "InProcServer32"
| where not(RegistryValueData has_any ("%systemroot%", "C:\\Program Files (x86)\\", "C:\\Program Files\\"))
| where RegistryValueData endswith ".dll"

```

Explanation

This query is designed to detect potential malicious activity related to CLSID hijacking, a technique used by attackers to maintain persistence or escalate privileges on a system. Here's a simplified breakdown of what the query does:

  1. Data Source: It examines events related to changes in the Windows Registry, specifically looking at registry value set actions.

  2. Targeted Registry Key: The query focuses on modifications to registry keys under HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CLSID}\InProcServer32. This is a location where COM object configurations are stored.

  3. Suspicious Behavior Detection:

    • It checks if the registry value data (the path to a DLL) ends with ".dll", indicating a dynamic link library file.
    • It ensures that this DLL path does not point to common system directories like %systemroot%, C:\Program Files (x86)\, or C:\Program Files\. This is because legitimate DLLs are typically stored in these directories, and a path outside of these could indicate a potentially malicious DLL.

  4. Purpose: By identifying DLLs that are not in standard system directories, the query aims to catch instances where an attacker might be redirecting legitimate COM object calls to a malicious DLL, a technique known as CLSID hijacking.

Overall, this query helps in identifying suspicious registry modifications that could indicate an attempt by an attacker to achieve persistence or escalate privileges on a system through DLL hijacking.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: October 27, 2025

Tables

DeviceRegistryEvents

Keywords

DeviceRegistryEvents

Operators

//|where==startswithhasendswithnothas_any

Actions