Detection rules › Splunk
Suspicious InprocServer32 Registry Modification (Sysmon)
The Windows Disk Cleanup utility is a legacy tool designed to delete cache and temporary files to improve system performance and free up hard disk space. Threat actors may insert a malicious DLL path into the registry key for the Disk Cleanup Scheduled Task, ensuring that their code is executed whenever Disk Cleanup runs, thus maintaining persistence on the compromised system without immediate detection. This use case detects commands to edit Disk Cleanup registry keys to include DLLs
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1546.015 Event Triggered Execution: Component Object Model Hijacking |
| Privilege Escalation | T1546.015 Event Triggered Execution: Component Object Model Hijacking |
References
Event coverage
| Provider | Event | Title |
|---|---|---|
| Sysmon | Event ID 1 | Process creation |
| Sysmon | Event ID 13 | RegistryEvent (Value Set) |
Rule body yaml
id: '28655.52127'
title: Suspicious InprocServer32 Registry Modification
description: The Windows Disk Cleanup utility is a legacy tool designed to delete
cache and temporary files to improve system performance and free up hard disk space.
Threat actors may insert a malicious DLL path into the registry key for the Disk
Cleanup Scheduled Task, ensuring that their code is executed whenever Disk Cleanup
runs, thus maintaining persistence on the compromised system without immediate detection.
This use case detects commands to edit Disk Cleanup registry keys to include DLLs.
Living Off the Land Binary and Scripts (LOLBAS) (LOLBIN)
logic_format: Splunk
logic: '`get_endpoint_data` `get_endpoint_data_sysmon` ((TERM(EventCode=1) OR "<EventID>1<")
(TERM(reg) OR "reg.exe") (TERM(add) "/t" "/d" "/v")) OR (TERM(EventCode=13) OR "<EventCode>13<")
"HKCU\\SOFTWARE\\Classes\\CLSID\\*\\InprocServer32" ".dll" | table _time, host,
user, parent_process_name, process_* | bin span=1s | stats values(*) as * by _time,
host '
techniques:
- persistence:event triggered execution:component object model hijacking
technique_id:
- T1546.015
data_category:
- Windows Sysmon
- Windows Registry
references:
- https://pentestlab.blog/2024/01/29/persistence-disk-clean-up/
- https://cocomelonc.github.io/persistence/2022/11/16/malware-pers-19.html
- https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/
Stages and Predicates
Stage 1: search
`get_endpoint_data` `get_endpoint_data_sysmon` ((TERM(EventCode=1) OR "<EventID>1<") (TERM(reg) OR "reg.exe") (TERM(add) "/t" "/d" "/v")) OR (TERM(EventCode=13) OR "<EventCode>13<") "HKCU\\SOFTWARE\\Classes\\CLSID\\*\\InprocServer32" ".dll"
Stage 2: table
| table _time, host, user, parent_process_name, process_*
Stage 3: bucket
| bin span=1s
Stage 4: stats
| stats values(*) as * by _time, host
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
Search terms
Bare-string tokens in the SPL search body. Splunk matches each token against _raw (the untyped raw event text) anywhere it appears, not against a specific field. These don't surface in the Indicators table because they aren't predicates on a known field.
| Stage | Term |
|---|---|
| 1 | TERM |
| 1 | "<EventID>1<" |
| 1 | TERM |
| 1 | reg |
| 1 | "reg.exe" |
| 1 | TERM |
| 1 | add |
| 1 | "/t" |
| 1 | "/d" |
| 1 | "/v" |
| 1 | TERM |
| 1 | "<EventCode>13<" |
| 1 | "HKCU\\SOFTWARE\\Classes\\CLSID\\*\\InprocServer32" |
| 1 | ".dll" |