Techniques
Sample rules
Windows New InProcServer32 Added
- source: splunk
- technicques:
- T1112
Description
The following analytic detects the addition of new InProcServer32 registry keys on Windows endpoints. It leverages data from the Endpoint.Registry datamodel to identify changes in registry paths associated with InProcServer32. This activity is significant because malware often uses this mechanism to achieve persistence or execute malicious code by registering a new InProcServer32 key pointing to a harmful DLL. If confirmed malicious, this could allow an attacker to persist in the environment or execute arbitrary code, posing a significant threat to system integrity and security.
Detection logic
| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry where Registry.registry_path="*\\InProcServer32\\*" by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.dest Registry.process_guid Registry.user
| `drop_dm_object_name(Registry)`
|`security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_new_inprocserver32_added_filter`