Potential Persistence Via Scrobj.dll COM Hijacking
Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute
Sigma rule (View on GitHub)
1title: Potential Persistence Via Scrobj.dll COM Hijacking
2id: fe20dda1-6f37-4379-bbe0-a98d400cae90
3status: test
4description: Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md
7author: frack113
8date: 2022-08-20
9modified: 2023-08-17
10tags:
11 - attack.persistence
12 - attack.t1546.015
13logsource:
14 category: registry_set
15 product: windows
16detection:
17 selection:
18 TargetObject|endswith: 'InprocServer32\(Default)'
19 Details: 'C:\WINDOWS\system32\scrobj.dll'
20 condition: selection
21falsepositives:
22 - Legitimate use of the dll.
23level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- COM Hijacking via TreatAs
- Potential COM Object Hijacking Via TreatAs Subkey - Registry
- Potential PSFactoryBuffer COM Hijacking
- Potential Persistence Using DebugPath
- Rundll32 Registered COM Objects