Potential Persistence Via Scrobj.dll COM Hijacking

Aug 17, 2023 · attack.persistence attack.t1546.015 ·

Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute

Sigma rule (View on GitHub)

 1title: Potential Persistence Via Scrobj.dll COM Hijacking
 2id: fe20dda1-6f37-4379-bbe0-a98d400cae90
 3status: experimental
 4description: Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md
 7author: frack113
 8date: 2022/08/20
 9modified: 2023/08/17
10tags:
11    - attack.persistence
12    - attack.t1546.015
13logsource:
14    category: registry_set
15    product: windows
16detection:
17    selection:
18        TargetObject|endswith: 'InprocServer32\(Default)'
19        Details: 'C:\WINDOWS\system32\scrobj.dll'
20    condition: selection
21falsepositives:
22    - Legitimate use of the dll.
23level: medium

References

atomic-red-team/atomics/T1546.015/T1546.015.md at 40b77d63808dd4f4eafb83949805636735a1fd15 · redcanaryco/atomic-red-team

Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

Read More

Potential Persistence Via Scrobj.dll COM Hijacking

Sigma rule (View on GitHub)

References

atomic-red-team/atomics/T1546.015/T1546.015.md at 40b77d63808dd4f4eafb83949805636735a1fd15 · redcanaryco/atomic-red-team

Related rules