COM Object Hijacking Registry Keys
Location
HKCU\Software\Classes\CLSID\ and HKLM\SOFTWARE\Classes\CLSID\Description
Component Object Model (COM) hijacking abuses the Windows COM object registry lookup order by placing malicious DLLs in per-user CLSID entries (HKCU) that take precedence over machine-wide entries (HKLM). Legitimate applications then load the attacker-controlled DLL when instantiating the hijacked COM object.
Forensic Value
COM hijacking is a stealthy persistence mechanism because the malicious DLL executes within the context of a legitimate process, bypassing application whitelisting and blending into normal system activity. Entries in HKCU\Software\Classes\CLSID that have InprocServer32 or LocalServer32 subkeys pointing to unusual DLL paths are strong indicators of compromise. Comparing HKCU CLSID entries against the baseline HKLM entries reveals hijacked objects, since legitimate per-user COM registrations are rare. The timestamps on these registry keys can establish when the persistence was planted, and the referenced DLL can be extracted for malware analysis.
Tools Required
Collection Commands
Autoruns
autorunsc.exe -a * -ct -h -s -nobanner > C:\output\autoruns_all.csv
Registry Explorer
RECmd.exe --hive NTUSER.DAT --key "Software\Classes\CLSID" --csv C:\output\ --csvf com_hijack_hkcu.csv
PowerShell
Get-ChildItem "HKCU:\Software\Classes\CLSID" -Recurse | Where-Object { $_.GetSubKeyNames() -contains "InprocServer32" } | ForEach-Object { Get-ItemProperty "$($_.PSPath)\InprocServer32" }