Regsvr32 DLL Execution With Suspicious File Extension

Detects the execution of REGSVR32.exe with DLL files masquerading as other files

Sigma rule (View on GitHub)

 1title: Regsvr32 DLL Execution With Suspicious File Extension
 2id: 089fc3d2-71e8-4763-a8a5-c97fbb0a403e
 3related:
 4    - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d
 5      type: obsolete
 6status: test
 7description: Detects the execution of REGSVR32.exe with DLL files masquerading as other files
 8references:
 9    - https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/
10    - https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html
11    - https://guides.lib.umich.edu/c.php?g=282942&p=1885348
12author: Florian Roth (Nextron Systems), frack113
13date: 2021-11-29
14modified: 2023-05-24
15tags:
16    - attack.defense-evasion
17    - attack.t1218.010
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection_img:
23        - Image|endswith: '\regsvr32.exe'
24        - OriginalFileName: 'REGSVR32.EXE'
25    selection_cli:
26        CommandLine|endswith:
27            # Add more image extensions
28            # https://twitter.com/Max_Mal_/status/1542461200797163522/photo/3
29            - '.bin'
30            - '.bmp'
31            - '.cr2'
32            - '.dat'
33            - '.eps'
34            - '.gif'
35            - '.ico'
36            - '.jpeg'
37            - '.jpg'
38            - '.nef'
39            - '.orf'
40            - '.png'
41            - '.raw'
42            - '.sr2'
43            - '.temp'
44            - '.tif'
45            - '.tiff'
46            - '.tmp'
47            - '.rtf'
48            - '.txt'
49    condition: all of selection_*
50falsepositives:
51    - Unlikely
52level: high

References

Related rules

to-top