Global Security Forum

Security Global Forum

Our mission is to provide clients with an online user community of industry peers and IBM experts, to exchange tips and tricks, best practices, and product knowledge. We hope the information you find here helps you maximize the value of your IBM Security solutions.

 View Only
Back to discussions
Expand all | Collapse all

Potential COM Hijacking containing Hive Registry Was Reorganized

  • 1.  Potential COM Hijacking containing Hive Registry Was Reorganized

    Posted Mon December 26, 2022 02:24 AM
    Hi,
    The below rule was enabled after IBM content pack extension was installed.
    Potential COM Hijacking containing Hive Registry Was Reorganized


    I was not able to find the exact steps in the analysis or investigation to find the root cause.

    Sample log:
    <13>Dec 20 19:12:49 SAMOBQA123 AgentDevice=WindowsLog	AgentLogFile=System	PluginVersion=7.2.9.72	Source=Microsoft-Windows-Kernel-General	Computer=SAMOBQA123.<companyname>.com	OriginatingComputer=10.x.x.x	User=SYSTEM	Domain=NT AUTHORITY	EventID=15	EventIDCode=15	EventType=4	EventCategory=0	RecordNumber=221214	TimeGenerated=1671543717	TimeWritten=1671543717	Level=Informational	Keywords=0x8000000000000000	Task=None	Opcode=Info	Message=Hive \SystemRoot\System32\Config\SOFTWARE was reorganized with a starting size of 101601280 bytes and an ending size of 101294080 bytes.
    If any of you know how to handle this offense, please share your guidance.

    Thanks in Advance

    ------------------------------
    Arunkumar R
    ------------------------------


  • 2.  RE: Potential COM Hijacking containing Hive Registry Was Reorganized

    Posted Tue December 27, 2022 09:31 AM
    I read something about this a few days ago, I'm going to look it up and post it here.

    ------------------------------
    Hatoki Nato
    ------------------------------

    Original Message