Potential Persistence Via Scrobj.dll COM Hijacking

Oct 23, 2025 · attack.privilege-escalation attack.persistence attack.t1546.015 ·

Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute

Sigma rule (View on GitHub)

 1title: Potential Persistence Via Scrobj.dll COM Hijacking
 2id: fe20dda1-6f37-4379-bbe0-a98d400cae90
 3status: test
 4description: Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md
 7author: frack113
 8date: 2022-08-20
 9modified: 2023-08-17
10tags:
11    - attack.privilege-escalation
12    - attack.persistence
13    - attack.t1546.015
14logsource:
15    category: registry_set
16    product: windows
17detection:
18    selection:
19        TargetObject|endswith: 'InprocServer32\(Default)'
20        Details: 'C:\WINDOWS\system32\scrobj.dll'
21    condition: selection
22falsepositives:
23    - Legitimate use of the dll.
24level: medium

References

atomic-red-team/atomics/T1546.015/T1546.015.md at 40b77d63808dd4f4eafb83949805636735a1fd15 · redcanaryco/atomic-red-team

Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

Read More

Potential Persistence Via Scrobj.dll COM Hijacking

Sigma rule (View on GitHub)

References

atomic-red-team/atomics/T1546.015/T1546.015.md at 40b77d63808dd4f4eafb83949805636735a1fd15 · redcanaryco/atomic-red-team

Related rules