Network Connection Initiated By Regsvr32.EXE

Detects a network connection initiated by "Regsvr32.exe"

Sigma rule (View on GitHub)

 1title: Network Connection Initiated By Regsvr32.EXE
 2id: c7e91a02-d771-4a6d-a700-42587e0b1095
 3status: test
 4description: Detects a network connection initiated by "Regsvr32.exe"
 5references:
 6    - https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/
 7    - https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
 8author: Dmitriy Lifanov, oscd.community
 9date: 2019/10/25
10modified: 2023/09/18
11tags:
12    - attack.execution
13    - attack.t1559.001
14    - attack.defense_evasion
15    - attack.t1218.010
16logsource:
17    category: network_connection
18    product: windows
19detection:
20    selection:
21        Initiated: 'true'
22        Image|endswith: '\regsvr32.exe'
23    condition: selection
24falsepositives:
25    - Unknown
26level: medium

References

Related rules

to-top