Component Object Model Hijacking
Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects.
Rule type: eql
Rule indices:
- logs-endpoint.events.*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-9m (https://www.elastic.co/guide/en/elasticsearch/reference/current/common-options.html#date-math[Date Math format], see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Persistence
Version: 6
Rule authors:
- Elastic
Rule license: Elastic License v2
registry where
/* uncomment once length is stable length(bytes_written_string) > 0 and */
(registry.path : "HK*}\\InprocServer32\\" and registry.data.strings: ("scrobj.dll", "C:\\*\\scrobj.dll") and
not registry.path : "*\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\*")
or
/* in general COM Registry changes on Users Hive is less noisy and worth alerting */
(registry.path : ("HKEY_USERS\\*Classes\\*\\InprocServer32\\",
"HKEY_USERS\\*Classes\\*\\LocalServer32\\",
"HKEY_USERS\\*Classes\\*\\DelegateExecute\\",
"HKEY_USERS\\*Classes\\*\\TreatAs\\",
"HKEY_USERS\\*Classes\\CLSID\\*\\ScriptletURL\\") and
not (process.executable : "?:\\Program Files*\\Veeam\\Backup and Replication\\Console\\veeam.backup.shell.exe" and
registry.path : "HKEY_USERS\\S-1-5-21-*_Classes\\CLSID\\*\\LocalServer32\\") and
/* not necessary but good for filtering privileged installations */
user.domain != "NT AUTHORITY")
Framework: MITRE ATT&CKTM
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
Technique:
- Name: Event Triggered Execution
- ID: T1546
- Reference URL: https://attack.mitre.org/techniques/T1546/
Sub-technique:
- Name: Component Object Model Hijacking
- ID: T1546.015
- Reference URL: https://attack.mitre.org/techniques/T1546/015/