splApache-2.0from splunk/security_content
Malicious InProcServer32 Modification
The following analytic detects a process modifying the registry with a known malicious CLSID under InProcServer32. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on registry modifications within the HKLM or HKCU Software Classes CLSID paths. This activity is significant as it may indicate an attempt to load a malicious DLL, potentially leading to code execution. If confirmed malicious, this could allow an attacker to persist in the environment, execute arbitrary code, or escalate privileges, posing a severe threat to system integrity and security.
Quality
67
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/malicious_inprocserver32_modification.yml
| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry where Registry.registry_path="*\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProcServer32\\(Default)" by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `malicious_inprocserver32_modification_filter`