Potential Persistence Via Scrobj.dll COM Hijacking

Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute

Sigma rule (View on GitHub)

 1title: Potential Persistence Via Scrobj.dll COM Hijacking
 2id: fe20dda1-6f37-4379-bbe0-a98d400cae90
 3status: test
 4description: Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md
 7author: frack113
 8date: 2022/08/20
 9modified: 2023/08/17
10tags:
11    - attack.persistence
12    - attack.t1546.015
13logsource:
14    category: registry_set
15    product: windows
16detection:
17    selection:
18        TargetObject|endswith: 'InprocServer32\(Default)'
19        Details: 'C:\WINDOWS\system32\scrobj.dll'
20    condition: selection
21falsepositives:
22    - Legitimate use of the dll.
23level: medium

References

Related rules

to-top