Regsvr32 Execution From Potential Suspicious Location
Detects execution of regsvr32 where the DLL is located in a potentially suspicious location.
Sigma rule (View on GitHub)
1title: Regsvr32 Execution From Potential Suspicious Location
2id: 9525dc73-0327-438c-8c04-13c0e037e9da
3related:
4 - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d
5 type: obsoletes
6status: test
7description: Detects execution of regsvr32 where the DLL is located in a potentially suspicious location.
8references:
9 - https://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html
10 - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/
11author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
12date: 2023/05/26
13tags:
14 - attack.defense_evasion
15 - attack.t1218.010
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_img:
21 - Image|endswith: '\regsvr32.exe'
22 - OriginalFileName: 'REGSVR32.EXE'
23 selection_cli:
24 CommandLine|contains:
25 - ':\ProgramData\'
26 - ':\Temp\'
27 - ':\Users\Public\'
28 - ':\Windows\Temp\'
29 - '\AppData\Local\Temp\'
30 - '\AppData\Roaming\'
31 condition: all of selection_*
32falsepositives:
33 - Some installers might execute "regsvr32" with DLLs located in %TEMP% or in %PROGRAMDATA%. Apply additional filters if necessary.
34level: medium
References
-
So, I have been working this out the last few days. I was trying solve a particular problem. I needed a reverse shell on workstation lock...
Read More -
Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.
Read More
Related rules
- Potentially Suspicious Child Process Of Regsvr32
- Potentially Suspicious Regsvr32 HTTP IP Pattern
- Potentially Suspicious Regsvr32 HTTP/FTP Pattern
- Regsvr32 DLL Execution With Suspicious File Extension
- Regsvr32 Execution From Highly Suspicious Location