This detection rule identifies attempts at COM (Component Object Model) hijacking via modifications to the Windows registry's TreatAs key. The TreatAs mechanism allows a COM object to be treated as another object, which attackers can exploit to execute their payloads through benign-looking Windows components, such as rundll32.exe. The rule focuses on detecting changes to the registry entry for TreatAs, specifically ensuring that the TargetObject ends with 'TreatAs\(Default)'. It incorporates several filters to differentiate between legitimate processes and potentially malicious alterations. The filters specifically exclude known legitimate usage involving Microsoft Office's executable paths, which might falsely trigger alerts in cases of routine operations. This rule is useful for monitoring persistent threats that can lead to unauthorized command execution or escalation of privileges by exploiting the COM infrastructure.