Rule Documentation: Devtunnel Detection through Registry Modifications Involving InProcServer32 and MSAL Runtime
Devtunnel Registry
Query
DeviceRegistryEvents
| where RegistryKey contains "inprocserver32"
| where RegistryValueData contains "msalruntime"About this query
Explanation
This query is designed to detect suspicious changes to a specific part of the Windows registry (InProcServer32) that involve the term "msalruntime." Such changes can indicate that an attacker is trying to maintain unauthorized access or execute malicious code by manipulating how legitimate processes load DLLs. This technique is known as COM hijacking and can be used to evade detection. The query looks for registry events where the key includes "inprocserver32" and the value data includes "msalruntime."
