Skip to content

Comments

Add new rule persist-via-shellserviceobjectdelayload-registry-key.yml#1117

Open
xpzhxhm wants to merge 2 commits intomandiant:masterfrom
xpzhxhm:master
Open

Add new rule persist-via-shellserviceobjectdelayload-registry-key.yml#1117
xpzhxhm wants to merge 2 commits intomandiant:masterfrom
xpzhxhm:master

Conversation

@xpzhxhm
Copy link

@xpzhxhm xpzhxhm commented Feb 12, 2026

Add new rule persist-via-shellserviceobjectdelayload-registry-key.yml
Closes #1114
Ref mandiant/capa-testfiles#303
https://blog.virustotal.com/2024/03/com-objects-hijacking.html

mike-hunhoff
mike-hunhoff requested changes Feb 17, 2026
View reviewed changes
Copy link
Collaborator

@mike-hunhoff mike-hunhoff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great, thanks @xpzhxhm . I've left comments for your review.

persistence/registry/persist-via-shellserviceobjectdelayload-registry-key.yml Outdated
namespace: persistence/registry
authors:
- xpzhxhm@gmail.com
description: Match on files using ShellServiceObjectDelayLoad to persist
Copy link
Collaborator

@mike-hunhoff mike-hunhoff Feb 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please expand this description to include how modifying this particular registry key achieves persistence.

persistence/registry/persist-via-shellserviceobjectdelayload-registry-key.yml Outdated
- xpzhxhm@gmail.com
description: Match on files using ShellServiceObjectDelayLoad to persist
scopes:
static: file
Copy link
Collaborator

@mike-hunhoff mike-hunhoff Feb 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about function or basic block scopes?

persistence/registry/persist-via-shellserviceobjectdelayload-registry-key.yml Outdated
- https://blog.virustotal.com/2024/03/com-objects-hijacking.html
examples:
- c05ec67e75693127e5556eee229b88f93c7cef926cfe905dfd5464be9d305c94

Copy link
Collaborator

@mike-hunhoff mike-hunhoff Feb 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove

@xpzhxhm
Update persist-via-shellserviceobjectdelayload-registry-key.yml
97ed87a 
Update rules and description, improve scope to function/basic block by adding HKLM constant, remove blank line.
@xpzhxhm
Copy link
Author

xpzhxhm commented Feb 18, 2026

Hi @mike-hunhoff.
Thanks for the review!
I've updated a more detailed description and removed the blank line.
For the scope, I successfully narrowed it to function by adding number: 0x80000002 = HKEY_LOCAL_MACHINE in the features. The rule now correctly detects the sample at function scope.

@xpzhxhm
Copy link
Author

xpzhxhm commented Feb 18, 2026

I confirmed in IDA that this sample uses a helper function to write to the registry. The HKLM constant 0x80000002 and the string ShellServiceObjectDelayLoad reside in the parent function (sub_405224 in the sample), while RegSetValue is in a child function (sub_4053CD in the sample). My understanding is that adding the feature number: 0x80000002 will allow the rule to match the parent function.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mike-hunhoff mike-hunhoff mike-hunhoff requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

persist via Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

2 participants

@xpzhxhm @mike-hunhoff