← Library
sigmaDRL-1.1from SigmaHQ/sigma

Potential Persistence Via Scrobj.dll COM Hijacking

Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute

Quality
100
FP risk
Forks
0
Views
0
ATT&CK techniques
T1546.015
Rule sourcerules/windows/registry/registry_set/registry_set_persistence_scrobj_dll.yml
title: Potential Persistence Via Scrobj.dll COM Hijacking
id: fe20dda1-6f37-4379-bbe0-a98d400cae90
status: test
description: Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md
author: frack113
date: 2022-08-20
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1546.015
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: 'InprocServer32\(Default)'
        Details: 'C:\WINDOWS\system32\scrobj.dll'
    condition: selection
falsepositives:
    - Legitimate use of the dll.
level: medium