DNS Query Request By Regsvr32.EXE
Detects DNS queries initiated by "Regsvr32.exe"
Sigma rule (View on GitHub)
1title: DNS Query Request By Regsvr32.EXE
2id: 36e037c4-c228-4866-b6a3-48eb292b9955
3related:
4 - id: c7e91a02-d771-4a6d-a700-42587e0b1095
5 type: derived
6status: test
7description: Detects DNS queries initiated by "Regsvr32.exe"
8references:
9 - https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/
10 - https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
11author: Dmitriy Lifanov, oscd.community
12date: 2019-10-25
13modified: 2023-09-18
14tags:
15 - attack.execution
16 - attack.t1559.001
17 - attack.defense-evasion
18 - attack.t1218.010
19logsource:
20 category: dns_query
21 product: windows
22detection:
23 selection:
24 Image|endswith: '\regsvr32.exe'
25 condition: selection
26falsepositives:
27 - Unknown
28level: medium
References
-
AppLocker was designed to allow administrators to block the execution of Windows installer files, executables and scripts by users. However various techniques have been discovered that can bypass t…
Read More -
I often hear that AppLocker is not very safe and it is easy to bypass. Since I really like AppLocker and I recommend it to customers, I decided to do this blogpost series and go over the different …
Read More
Related rules
- Network Connection Initiated By Regsvr32.EXE
- CMSTP Execution Process Access
- HTML Help HH.EXE Suspicious Child Process
- Suspicious HH.EXE Execution
- Suspicious Microsoft Office Child Process