Regsvr32 Execution From Highly Suspicious Location

calendar Aug 12, 2024 · attack.defense-evasion attack.t1218.010  ·
Share on: linkedin copy

Detects execution of regsvr32 where the DLL is located in a highly suspicious locations

Sigma rule (View on GitHub)

 1title: Regsvr32 Execution From Highly Suspicious Location
 2id: 327ff235-94eb-4f06-b9de-aaee571324be
 3status: test
 4description: Detects execution of regsvr32 where the DLL is located in a highly suspicious locations
 5references:
 6    - Internal Research
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023-05-26
 9tags:
10    - attack.defense-evasion
11    - attack.t1218.010
12logsource:
13    category: process_creation
14    product: windows
15detection:
16    selection_img:
17        - Image|endswith: '\regsvr32.exe'
18        - OriginalFileName: 'REGSVR32.EXE'
19    selection_path_1:
20        CommandLine|contains:
21            - ':\PerfLogs\'
22            - ':\Temp\'
23            - '\Windows\Registration\CRMLog'
24            - '\Windows\System32\com\dmp\'
25            - '\Windows\System32\FxsTmp\'
26            - '\Windows\System32\Microsoft\Crypto\RSA\MachineKeys\'
27            - '\Windows\System32\spool\drivers\color\'
28            - '\Windows\System32\spool\PRINTERS\'
29            - '\Windows\System32\spool\SERVERS\'
30            - '\Windows\System32\Tasks_Migrated\'
31            - '\Windows\System32\Tasks\Microsoft\Windows\SyncCenter\'
32            - '\Windows\SysWOW64\com\dmp\'
33            - '\Windows\SysWOW64\FxsTmp\'
34            - '\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System\'
35            - '\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter\'
36            - '\Windows\Tasks\'
37            - '\Windows\Tracing\'
38    selection_path_2:
39        CommandLine|contains:
40            # This is to avoid collisions with CLI starting with "C:\"
41            - ' "C:\'
42            - ' C:\'
43            - " 'C:\\"
44            - 'D:\'
45    selection_exclude_known_dirs:
46        CommandLine|contains:
47            # Note: add additional locations that are related to third party applications
48            - 'C:\Program Files (x86)\'
49            - 'C:\Program Files\'
50            - 'C:\ProgramData\'
51            - 'C:\Users\'
52            # Note: The space added here are to avoid collisions with the "regsvr32" binary full path
53            - ' C:\Windows\'
54            - ' "C:\Windows\'
55            - " 'C:\\Windows\\"
56    filter_main_empty:
57        CommandLine: ''
58    filter_main_null:
59        CommandLine: null
60    condition: selection_img and (selection_path_1 or (selection_path_2 and not selection_exclude_known_dirs)) and not 1 of filter_main_*
61falsepositives:
62    - Unlikely
63level: high

References

Related rules

to-top