COM Hijack via Script Object

Identifies COM hijacking using the script object host scrobj.dll, which allows for stealthy execution of scripts in legitimate processes.

id:9d556fd6-76a3-45d5-9d8d-cb8edf0282f2
categories:detect
confidence:medium
os:windows
created:11/30/2018
updated:11/30/2018

MITRE ATT&CK™ Mapping

tactics:Persistence, Defense Evasion
techniques:T1122 Component Object Model Hijacking

Query

registry where
  key_path == "*_Classes\\CLSID\\{*}\\InprocServer32*" and
  (bytes_written_string == "scrobj*" or bytes_written_string == "*\\scrobj*")

Contributors