This detection rule identifies the deletion of entries in the registry paths associated with COM (Component Object Model) hijacking activities, specifically within the path `.*\shell\open\command`. The potential for COM hijacking arises when a malicious actor alters the program that executes upon specific file types or protocols. The deletion of these registry keys is a critical event to monitor because it could indicate an attacker attempting to erase evidence of their actions after modifying registry entries to exploit COM functionality. The rule utilizes specific event types and target object endings to filter registry deletions while excluding known legitimate operations, thereby minimizing false positives. Careful attention must be paid to how this monitoring is implemented due to the possibility of legitimate software installations and updates inadvertently triggering the rule.