TypeLib COM Hijacking Attempt

Rule Info

Name
TypeLib COM Hijacking Attempt
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects attempts to hijack TypeLib COM objects through registry modifications via reg.exe or powershell. In this technique, adversary modify the typelib registry to redirect legitimate COM objects to malicious file found locally or hosted remotely.
Reference
https://reliaquest.com/blog/threat-spotlight-hijacked-and-hidden-new-backdoor-and-persistence-technique/
Date
2025-04-22 00:00:00
Modified
None
Id
3c04e9c6-51a3-4f41-8fb8-44dd5eebf319
Tags
attack.persistence attack.t1546.015
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022