Techniques
Sample rules
Powershell COM Hijacking InprocServer32 Modification
- source: splunk
- technicques:
- T1546.015
- T1059
- T1059.001
Description
The following analytic utilizes PowerShell ScriptBlock Logging to identify a script that is attempting to modify or add a component object model to inprocserver32 path within the registry.
Detection logic
`powershell` EventCode=4104 ScriptBlockText = "*Software\\Classes\\CLSID\\*\\InProcServer32*"
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `powershell_com_hijacking_inprocserver32_modification_filter`