Windows New InProcServer32 Added

Try in Splunk Security Cloud

Description

This analytic is designed to detect the addition of new InProcServer32 registry keys, which could indicate suspicious or malicious activity on a Windows endpoint. The InProcServer32 registry key specifies the path to a COM object that can be loaded into the process space of calling processes. Malware often abuses this mechanism to achieve persistence or execute code by registering a new InProcServer32 key pointing to a malicious DLL. By monitoring for the creation of new InProcServer32 keys, this analytic helps identify potential threats that leverage COM hijacking or similar techniques for execution and persistence. Understanding the normal behavior of legitimate software in your environment will aid in distinguishing between benign and malicious use of InProcServer32 modifications.

• Type: Hunting
• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint
• Last Updated: 2024-03-20
• Author: Michael Haag, Splunk
• ID: 0fa86e31-0f73-4ec7-9ca3-dc88e117f1db

Annotations

ATT&CK

ATT&CK

ID	Technique	Tactic
T1112	Modify Registry	Defense Evasion

Kill Chain Phase

• Exploitation

NIST

• DE.AE

CIS20

• CIS 10

CVE

ID	Summary	CVSS
cve-2024-21378	Microsoft Outlook Remote Code Execution Vulnerability	None

Search

| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry where Registry.registry_path="*\\InProcServer32\\*" by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.dest Registry.process_guid Registry.user 
| `drop_dm_object_name(Registry)` 
|`security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_new_inprocserver32_added_filter`

Macros

The SPL above uses the following Macros:

• security_content_ctime
• security_content_summariesonly

windows_new_inprocserver32_added_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

• Registry.registry_path
• Registry.registry_key_name
• Registry.registry_value_name
• Registry.registry_value_data
• Registry.dest
• Registry.process_guid
• Registry.user

How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the Endpoint datamodel in the Registry node.

Known False Positives

False positives are expected. Filtering will be needed to properly reduce legitimate applications from the results.

Associated Analytic Story

• Outlook RCE CVE-2024-21378

RBA

Risk Score	Impact	Confidence	Message
2.0	10	20	A new InProcServer32 registry key was added to a Windows endpoint. This could indicate suspicious or malicious activity on the $dest$ .

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

• https://www.netspi.com/blog/technical/red-team-operations/microsoft-outlook-remote-code-execution-cve-2024-21378/

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1