Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1323: Analytic 1323

Correlate suspicious registry modifications to known COM object CLSIDs with subsequent DLL loads or unexpected binary execution paths. Detect placement of COM CLSID entries under HKEY_CURRENT_USER\Software\Classes\CLSID\ overriding default HKLM paths. Flag anomalous DLL loads traced back to hijacked COM registry changes.

EnterpriseAN1323AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because Windows COM hijacking-style registry changes can turn normal application behavior into an unexpected code-loading path. For leaders, the decision value is whether the organization can connect a suspicious per-user registry change to later DLL loading or unusual binary execution before it becomes an incident-response surprise.

Executive priority

Prioritize validation where Windows endpoints are material to business operations and where user-context persistence or stealthy execution would complicate containment. The key executive question is not simply whether registry logging exists, but whether SOC and IR teams can prove correlation across registry modification, process execution, and DLL-load telemetry for the same host and user. This also supports audit and readiness evidence by showing that endpoint monitoring covers high-risk configuration changes, not just malware alerts.

Technical view

On Windows, validate detection logic that correlates modifications to COM CLSID registry entries, especially under HKEY_CURRENT_USER\Software\Classes\CLSID\, with subsequent DLL loads or unexpected binary execution paths. The analytic should pay attention to per-user CLSID entries that override default HKLM paths and then trace whether later process activity loads anomalous DLLs associated with those changes. Because no ATT&CK tactic or relationship context is supplied, treat this as a detection-engineering validation item tied to Windows registry, process, and module-load correlation rather than a complete technique-specific coverage claim.

Likely telemetry

  • Windows registry modification events for COM CLSID paths, including HKEY_CURRENT_USER\Software\Classes\CLSID\
  • Process creation events showing unexpected binary execution paths
  • DLL or image/module load telemetry tied to process, user, and host context
  • User and host identifiers needed to correlate registry changes with later execution
  • Baseline data for expected COM CLSID locations and normal DLL load behavior

Detection direction

  • Confirm that endpoint telemetry captures per-user COM CLSID registry writes, not only HKLM or system-wide registry changes.
  • Correlate registry modification time, user, host, process lineage, and subsequent DLL loads or binary execution to reduce isolated-event noise.
  • Tune for expected software installation, update, and enterprise management activity that may legitimately create or alter COM registrations.
  • Review anomalous DLL paths, unsigned or unusual modules where available locally, and execution from unexpected user-writable locations, while avoiding unsupported assumptions not present in the ATT&CK object.
  • Document gaps where DLL load telemetry is unavailable, registry auditing is incomplete, or data retention is too short to connect the registry change to later execution.

Mitigation priorities

  • Ensure Windows endpoint logging and EDR policies collect registry, process, and DLL/module-load evidence needed for this correlation.
  • Harden change control and monitoring around COM CLSID registry locations, especially per-user HKCU paths that can override default HKLM behavior.
  • Use least privilege and application control where appropriate to limit unauthorized execution and loading from unexpected paths.
  • Create IR triage playbooks for suspicious COM CLSID changes that include registry review, process lineage, loaded modules, user context, and host containment criteria.
  • Use detection validation exercises to prove the SOC can investigate correlated registry-to-DLL-load activity end to end.
Analyst notes and limits

The supplied object is a detection analytic for Windows focused on correlating suspicious COM CLSID registry modifications with subsequent DLL loads or unexpected binary execution. No relationships, tactics, aliases, or separate official detection field were supplied, so this take emphasizes practical validation of the described analytic rather than broader ATT&CK mapping.

This assessment is limited to the supplied ATT&CK fields and external reference. It does not establish active exploitation, threat actor attribution, impact, or existing detection coverage. Local environment baselines, endpoint telemetry availability, and approved software behavior are required to decide severity and tune detections.

Official MITRE ATT&CK definition

Analytic 1323

Correlate suspicious registry modifications to known COM object CLSIDs with subsequent DLL loads or unexpected binary execution paths. Detect placement of COM CLSID entries under HKEY_CURRENT_USER\Software\Classes\CLSID\ overriding default HKLM paths. Flag anomalous DLL loads traced back to hijacked COM registry changes.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
ed1954c9bb994808...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle ed1954c9bb99…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1323
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use