This detection rule identifies attempts to hijack user sessions through modifications to COM object registry settings, specifically targeting the "RunAs" value to allow escalation to an "Interactive User". Such changes are often associated with malicious activities aiming to escalate privileges and evade defenses. The rule uses EQL (Event Query Language) to query registry events from multiple sources, primarily focusing on recent modifications that do not consist of deletions and match specific registry criteria. The risk score assigned is relatively high, indicating a significant concern for security personnel monitoring the endpoint. The note section of the rule provides a detailed triage and analysis guide, suggesting investigation steps and possible false positives that analysts should consider when responding to alerts. Furthermore, it outlines response strategies to mitigate potential risks, including isolating affected systems and modifying compromised registry settings back to their secure state.