Component Object Model Hijackingedit

Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-endpoint.events.*
  • logs-windows.*

Severity: medium

Risk score: 47

Runs every: None

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Persistence

Version: 4

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule queryedit

registry where
 /* uncomment once length is stable length(bytes_written_string) > 0 and */
 (registry.path : "HK*}\\InprocServer32\\" and registry.data.strings: ("scrobj.dll", "C:\\*\\scrobj.dll") and
 not registry.path : "*\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\*")
 or
 /* in general COM Registry changes on Users Hive is less noisy and worth alerting */
 (registry.path : ("HKEY_USERS\\*Classes\\*\\InprocServer32\\",
                   "HKEY_USERS\\*Classes\\*\\LocalServer32\\",
                   "HKEY_USERS\\*Classes\\*\\DelegateExecute\\",
                   "HKEY_USERS\\*Classes\\*\\TreatAs\\",
                   "HKEY_USERS\\*Classes\\CLSID\\*\\ScriptletURL\\") and
 /* not necessary but good for filtering privileged installations */
 user.domain != "NT AUTHORITY")

Framework: MITRE ATT&CKTM