Potential Regsvr32 Commandline Flag Anomaly
Detects a potential command line flag anomaly related to "regsvr32" in which the "/i" flag is used without the "/n" which should be uncommon.
Sigma rule (View on GitHub)
1title: Potential Regsvr32 Commandline Flag Anomaly
2id: b236190c-1c61-41e9-84b3-3fe03f6d76b0
3status: test
4description: Detects a potential command line flag anomaly related to "regsvr32" in which the "/i" flag is used without the "/n" which should be uncommon.
5references:
6 - https://twitter.com/sbousseaden/status/1282441816986484737?s=12
7author: Florian Roth (Nextron Systems)
8date: 2019-07-13
9modified: 2024-03-13
10tags:
11 - attack.defense-evasion
12 - attack.t1218.010
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 Image|endswith: '\regsvr32.exe'
19 CommandLine|contains|windash: ' -i:'
20 filter_main_flag:
21 CommandLine|contains|windash: ' -n '
22 condition: selection and not 1 of filter_main_*
23falsepositives:
24 - Administrator typo might cause some false positives
25level: medium
References
Related rules
- DNS Query Request By Regsvr32.EXE
- HTML Help HH.EXE Suspicious Child Process
- Network Connection Initiated By Regsvr32.EXE
- Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32
- Potential EmpireMonkey Activity