Home >
Enterprise >
Participants >
Trend Micro >
Event Triggered Execution: Component Object Model Hijacking (T1546.015)
|
|
See subtechnique results for:
Carbanak+FIN7 |
||
The subtechnique was not in scope. |
APT29 |
||||||
Step | ATT&CK Pattern |
|
||||
3.B.1
|
|
|||||
14.A.1
|
|
Procedure
Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell
Criteria
Addition of the DelegateExecute subkey in HKCU\Software\Classes\Folder\shell\open\command
Footnotes
- The logic used to produce this detection was configured after the start of the evaluation, so it is identified as a Detection Configuration Change.

