Rule Info
Name
CLSID DefaultIcon Value Tampering
Author
X__Junior
Description
Detects potential COM object hijacking. Adversaries have used CLSID DefaultIcon to reference malicious payload, encrypted payloads, or conceal payload execution paths as part of defense-evasion and persistence chains.
Reference
Date
2026-01-31 00:00:00
Modified
None
Id
4ed8bf93-1edb-4fbb-a192-628f0f5e19bf
Tags
attack.defense-evasion attack.persistence attack.privilege-escalation attack.t1546.015
Type
Nextron Sigma feed only (private)
Rule History
Scan your endpoints, forensic images or collected files with our portable scanner THOR