This analytic rule detects modifications to the InProcServer32 registry key on Windows systems, a potential indicator of COM hijacking. The detection mechanism relies on telemetry from Endpoint Detection and Response (EDR) agents, focusing on relevant process and command-line execution logs. COM hijacking is a crucial technique that attackers may use to inject malicious code that executes in the context of legitimate software, enabling them to maintain persistence within a system. This analytic identifies instances where the reg.exe process is involved in modifying the InProcServer32 registry key, which can facilitate unauthorized code execution, disruption of legitimate services, and long-term access within a compromised environment. The rule employs specific searches against the datamodel for endpoint processes and integrates various logging sources like Sysmon and Windows Event Logs. Alerts generated by this detection can indicate the presence of malicious activity requiring investigation.