From d24039c14ad7680d6fdb0c06a1d2ea60fb90e5ed Mon Sep 17 00:00:00 2001 From: Zhu Yuheng <128050350+xpzhxhm@users.noreply.github.com> Date: Wed, 11 Feb 2026 23:38:53 +0000 Subject: [PATCH 1/4] Create persist-via-shellserviceobjectdelayload-registry-key.yml --- ...ellserviceobjectdelayload-registry-key.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 persistence/registry/persist-via-shellserviceobjectdelayload-registry-key.yml diff --git a/persistence/registry/persist-via-shellserviceobjectdelayload-registry-key.yml b/persistence/registry/persist-via-shellserviceobjectdelayload-registry-key.yml new file mode 100644 index 000000000..295202c42 --- /dev/null +++ b/persistence/registry/persist-via-shellserviceobjectdelayload-registry-key.yml @@ -0,0 +1,24 @@ +rule: + meta: + name: persist via ShellServiceObjectDelayLoad registry key + namespace: persistence/registry + authors: + - xpzhxhm@gmail.com + description: Match on files using ShellServiceObjectDelayLoad to persist + scopes: + static: file + dynamic: span of calls + att&ck: + - Persistence::Event Triggered Execution::Component Object Model Hijacking [T1546.015] + references: + - https://blog.virustotal.com/2024/03/com-objects-hijacking.html + examples: + - c05ec67e75693127e5556eee229b88f93c7cef926cfe905dfd5464be9d305c94 + + features: + - and: + - os: windows + - match: set registry value + - or: + - string: /Software\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad/i + - string: /Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad/i From 97ed87a363655121ad1b95ab9c1b82b1786902c5 Mon Sep 17 00:00:00 2001 From: Zhu Yuheng <128050350+xpzhxhm@users.noreply.github.com> Date: Wed, 18 Feb 2026 16:39:57 +0000 Subject: [PATCH 2/4] Update persist-via-shellserviceobjectdelayload-registry-key.yml Update rules and description, improve scope to function/basic block by adding HKLM constant, remove blank line. --- ...sist-via-shellserviceobjectdelayload-registry-key.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/persistence/registry/persist-via-shellserviceobjectdelayload-registry-key.yml b/persistence/registry/persist-via-shellserviceobjectdelayload-registry-key.yml index 295202c42..a4de02a08 100644 --- a/persistence/registry/persist-via-shellserviceobjectdelayload-registry-key.yml +++ b/persistence/registry/persist-via-shellserviceobjectdelayload-registry-key.yml @@ -4,9 +4,9 @@ rule: namespace: persistence/registry authors: - xpzhxhm@gmail.com - description: Match on files using ShellServiceObjectDelayLoad to persist + description: Match on files using ShellServiceObjectDelayLoad to persist. Windows Explorer uses this key to load COM objects at startup, allowing malicious DLLs to execute automatically. scopes: - static: file + static: function dynamic: span of calls att&ck: - Persistence::Event Triggered Execution::Component Object Model Hijacking [T1546.015] @@ -14,11 +14,12 @@ rule: - https://blog.virustotal.com/2024/03/com-objects-hijacking.html examples: - c05ec67e75693127e5556eee229b88f93c7cef926cfe905dfd5464be9d305c94 - features: - and: - os: windows - - match: set registry value + - or: + - match: set registry value + - number: 0x80000002 = HKEY_LOCAL_MACHINE - or: - string: /Software\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad/i - string: /Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad/i From 2255cb0db9890818555f6fae24e9ff4585e0d0f9 Mon Sep 17 00:00:00 2001 From: Zhu Yuheng <128050350+xpzhxhm@users.noreply.github.com> Date: Mon, 23 Feb 2026 21:32:59 +0000 Subject: [PATCH 3/4] Update persist-via-shellserviceobjectdelayload-registry-key.yml --- .../persist-via-shellserviceobjectdelayload-registry-key.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/persistence/registry/persist-via-shellserviceobjectdelayload-registry-key.yml b/persistence/registry/persist-via-shellserviceobjectdelayload-registry-key.yml index a4de02a08..90f1a8c0b 100644 --- a/persistence/registry/persist-via-shellserviceobjectdelayload-registry-key.yml +++ b/persistence/registry/persist-via-shellserviceobjectdelayload-registry-key.yml @@ -6,7 +6,7 @@ rule: - xpzhxhm@gmail.com description: Match on files using ShellServiceObjectDelayLoad to persist. Windows Explorer uses this key to load COM objects at startup, allowing malicious DLLs to execute automatically. scopes: - static: function + static: file dynamic: span of calls att&ck: - Persistence::Event Triggered Execution::Component Object Model Hijacking [T1546.015] From 54dcd6dd2550ed1ce60fdce49baa693ac905a738 Mon Sep 17 00:00:00 2001 From: Zhu Yuheng <128050350+xpzhxhm@users.noreply.github.com> Date: Mon, 23 Feb 2026 23:33:28 +0000 Subject: [PATCH 4/4] Change the scope to function --- .../persist-via-shellserviceobjectdelayload-registry-key.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/persistence/registry/persist-via-shellserviceobjectdelayload-registry-key.yml b/persistence/registry/persist-via-shellserviceobjectdelayload-registry-key.yml index 90f1a8c0b..a4de02a08 100644 --- a/persistence/registry/persist-via-shellserviceobjectdelayload-registry-key.yml +++ b/persistence/registry/persist-via-shellserviceobjectdelayload-registry-key.yml @@ -6,7 +6,7 @@ rule: - xpzhxhm@gmail.com description: Match on files using ShellServiceObjectDelayLoad to persist. Windows Explorer uses this key to load COM objects at startup, allowing malicious DLLs to execute automatically. scopes: - static: file + static: function dynamic: span of calls att&ck: - Persistence::Event Triggered Execution::Component Object Model Hijacking [T1546.015]