RegAsm.EXE Initiating Network Connection To Public IP
Detects "RegAsm.exe" initiating a network connection to public IP adresses
Sigma rule (View on GitHub)
1title: RegAsm.EXE Initiating Network Connection To Public IP
2id: 0531e43a-d77d-47c2-b89f-5fe50321c805
3status: experimental
4description: Detects "RegAsm.exe" initiating a network connection to public IP adresses
5references:
6 - https://app.any.run/tasks/ec207948-4916-47eb-a0f4-4c6abb2e7668/
7 - https://research.splunk.com/endpoint/07921114-6db4-4e2e-ae58-3ea8a52ae93f/
8 - https://lolbas-project.github.io/lolbas/Binaries/Regasm/
9author: frack113
10date: 2024/04/25
11tags:
12 - attack.defense_evasion
13 - attack.t1218.009
14logsource:
15 category: network_connection
16 product: windows
17detection:
18 selection:
19 Initiated: 'true'
20 Image|endswith: '\regasm.exe'
21 filter_main_local_ranges:
22 DestinationIp|cidr:
23 - '127.0.0.0/8'
24 - '10.0.0.0/8'
25 - '172.16.0.0/12'
26 - '192.168.0.0/16'
27 - '169.254.0.0/16'
28 - '::1/128' # IPv6 loopback
29 - 'fe80::/10' # IPv6 link-local addresses
30 - 'fc00::/7' # IPv6 private addresses
31 condition: selection and not 1 of filter_main_*
32falsepositives:
33 - Unknown
34level: medium
References
-
Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.
Read More -
-
Input: Custom Format This LOLBAS expects the input file to follow a set structure; check the description and linked resources for more details.
Read More
Related rules
- Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
- Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension
- DNS Query From Process with Double File Extension
- Download by Process with Double File Extension
- File Creation by Process with Double File Extension