This detection rule identifies Component Object Model (COM) hijacking through registry modifications, which can serve as a method for adversaries to establish persistence on Windows systems. COM hijacking occurs when malicious actors insert their own code into the COM architecture, allowing their code to execute in place of legitimate processes. The rule analyzes registry changes in specific paths associated with COM objects, such as 'InprocServer32' and 'LocalServer32', while filtering out recognized trusted processes and known Microsoft executables to reduce false positives. Investigation steps include examining the process execution chain, user actions, and other alerts in the environment, as well as analyzing the referenced files for malicious activity. The setup requirements necessitate a custom ingest pipeline for versions prior to 8.2 to populate event timestamps, and the rule is categorized under the MITRE ATT&CK frameworks for Persistence and Privilege Escalation. Response actions following alerts include initial incident response, system isolation, malware searching, and credential security assessments.