COM Hijack via Script Object¶
Identifies COM hijacking using the script object host scrobj.dll, which allows for stealthy execution of scripts in legitimate processes.
| id: | 9d556fd6-76a3-45d5-9d8d-cb8edf0282f2 |
|---|---|
| categories: | detect |
| confidence: | medium |
| os: | windows |
| created: | 11/30/2018 |
| updated: | 11/30/2018 |
MITRE ATT&CK™ Mapping¶
| tactics: | Persistence, Defense Evasion |
|---|---|
| techniques: | T1122 Component Object Model Hijacking |
Query¶
registry where
registry_path == "*_Classes\\CLSID\\{*}\\InprocServer32*" and
(registry_data == "scrobj*" or registry_data == "*\\scrobj*")