Global Security Forum

 View Only
Expand all | Collapse all

Potential COM Hijacking containing Hive Registry Was Reorganized

  • 1.  Potential COM Hijacking containing Hive Registry Was Reorganized

    Posted Mon December 26, 2022 02:24 AM
    Hi,
    The below rule was enabled after IBM content pack extension was installed.
    Potential COM Hijacking containing Hive Registry Was Reorganized


    I was not able to find the exact steps in the analysis or investigation to find the root cause.

    Sample log:
    <13>Dec 20 19:12:49 SAMOBQA123 AgentDevice=WindowsLog	AgentLogFile=System	PluginVersion=7.2.9.72	Source=Microsoft-Windows-Kernel-General	Computer=SAMOBQA123.<companyname>.com	OriginatingComputer=10.x.x.x	User=SYSTEM	Domain=NT AUTHORITY	EventID=15	EventIDCode=15	EventType=4	EventCategory=0	RecordNumber=221214	TimeGenerated=1671543717	TimeWritten=1671543717	Level=Informational	Keywords=0x8000000000000000	Task=None	Opcode=Info	Message=Hive \SystemRoot\System32\Config\SOFTWARE was reorganized with a starting size of 101601280 bytes and an ending size of 101294080 bytes.
    If any of you know how to handle this offense, please share your guidance.

    Thanks in Advance

    ------------------------------
    Arunkumar R
    ------------------------------


  • 2.  RE: Potential COM Hijacking containing Hive Registry Was Reorganized

    Posted Tue December 27, 2022 09:31 AM
    I read something about this a few days ago, I'm going to look it up and post it here.

    ------------------------------
    Hatoki Nato
    ------------------------------

    Original Message