Detectionmediumtest

Potential Persistence Via Scrobj.dll COM Hijacking

Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

François HubautCreated Sat Aug 20Updated Thu Aug 17fe20dda1-6f37-4379-bbe0-a98d400cae90windows

Log Source

WindowsRegistry Set

ProductWindows← raw: windows

CategoryRegistry Set← raw: registry_set

Detection Logic

detection:
    selection:
        TargetObject|endswith: 'InprocServer32\(Default)'
        Details: 'C:\WINDOWS\system32\scrobj.dll'
    condition: selection

False Positives

Legitimate use of the dll.

References

Resolving title…

github.com

MITRE ATT&CK

Tactics

TA0004 · Privilege Escalation TA0003 · Persistence

Sub-techniques

T1546.015 · Component Object Model Hijacking

Rule Metadata

Rule ID

fe20dda1-6f37-4379-bbe0-a98d400cae90

Status

test

Level

medium

Type

Detection

Created

Sat Aug 20

Modified

Thu Aug 17

Author

François Hubaut

Path

rules/windows/registry/registry_set/registry_set_persistence_scrobj_dll.yml

Raw Tags

attack.privilege-escalationattack.persistenceattack.t1546.015

View on GitHub