Potentially Suspicious Regsvr32 HTTP/FTP Pattern

Detects regsvr32 execution to download/install/register new DLLs that are hosted on Web or FTP servers.

Sigma rule (View on GitHub)

 1title: Potentially Suspicious Regsvr32 HTTP/FTP Pattern
 2id: 867356ee-9352-41c9-a8f2-1be690d78216
 3related:
 4    - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d
 5      type: obsolete
 6status: test
 7description: Detects regsvr32 execution to download/install/register new DLLs that are hosted on Web or FTP servers.
 8references:
 9    - https://twitter.com/mrd0x/status/1461041276514623491
10    - https://twitter.com/tccontre18/status/1480950986650832903
11    - https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/
12author: Florian Roth (Nextron Systems)
13date: 2023-05-24
14modified: 2023-05-26
15tags:
16    - attack.defense-evasion
17    - attack.t1218.010
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection_img:
23        - Image|endswith: '\regsvr32.exe'
24        - OriginalFileName: 'REGSVR32.EXE'
25    selection_flag:
26        CommandLine|contains:
27            - ' /i'
28            - ' -i'
29    selection_protocol:
30        CommandLine|contains:
31            - 'ftp'
32            - 'http'
33    condition: all of selection_*
34falsepositives:
35    - Unknown
36level: medium

References

Related rules

to-top