Query Details

Rule Documentation: Devtunnel Detection through Registry Modifications Involving InProcServer32 and MSAL Runtime

Devtunnel Registry

Query

DeviceRegistryEvents
| where RegistryKey contains "inprocserver32"
| where RegistryValueData contains "msalruntime"

About this query

Explanation

This query is designed to detect suspicious changes to a specific part of the Windows registry (InProcServer32) that involve the term "msalruntime." Such changes can indicate that an attacker is trying to maintain unauthorized access or execute malicious code by manipulating how legitimate processes load DLLs. This technique is known as COM hijacking and can be used to evade detection. The query looks for registry events where the key includes "inprocserver32" and the value data includes "msalruntime."

Details

Ali Hussein profile picture

Ali Hussein

Released: September 9, 2024

Tables

DeviceRegistryEvents

Keywords

DevicesRegistryEventsPersistenceMechanismsWindowsMonitoringMaliciousDLLInjectionMSALRuntimeAbuse

Operators

containswhere|

MITRE Techniques

Actions

GitHub