false positives will be present if any scripts are adding to inprocserver32. filter as needed.

t1059
t1059.001
t1546.015
endpoint
splunk

Techniques

T1059
T1059.001
T1546.015

Sample rules

Powershell COM Hijacking InprocServer32 Modification

source: splunk
technicques:
- T1546.015
- T1059
- T1059.001

Description

The following analytic utilizes PowerShell ScriptBlock Logging to identify a script that is attempting to modify or add a component object model to inprocserver32 path within the registry.

Detection logic

`powershell` EventCode=4104 ScriptBlockText = "*Software\\Classes\\CLSID\\*\\InProcServer32*" 
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `powershell_com_hijacking_inprocserver32_modification_filter`