Network Connection Initiated By Regsvr32.EXE
Detects a network connection initiated by "Regsvr32.exe"
Sigma rule (View on GitHub)
1title: Network Connection Initiated By Regsvr32.EXE
2id: c7e91a02-d771-4a6d-a700-42587e0b1095
3status: test
4description: Detects a network connection initiated by "Regsvr32.exe"
5references:
6 - https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/
7 - https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
8author: Dmitriy Lifanov, oscd.community
9date: 2019-10-25
10modified: 2023-09-18
11tags:
12 - attack.execution
13 - attack.t1559.001
14 - attack.defense-evasion
15 - attack.t1218.010
16logsource:
17 category: network_connection
18 product: windows
19detection:
20 selection:
21 Initiated: 'true'
22 Image|endswith: '\regsvr32.exe'
23 condition: selection
24falsepositives:
25 - Unknown
26level: medium
References
-
AppLocker was designed to allow administrators to block the execution of Windows installer files, executables and scripts by users. However various techniques have been discovered that can bypass t…
Read More -
I often hear that AppLocker is not very safe and it is easy to bypass. Since I really like AppLocker and I recommend it to customers, I decided to do this blogpost series and go over the different …
Read More
Related rules
- DNS Query Request By Regsvr32.EXE
- CMSTP Execution Process Access
- HTML Help HH.EXE Suspicious Child Process
- Suspicious HH.EXE Execution
- Suspicious Microsoft Office Child Process