Regsvr32 DLL Execution With Suspicious File Extension
Detects the execution of REGSVR32.exe with DLL files masquerading as other files
Sigma rule (View on GitHub)
1title: Regsvr32 DLL Execution With Suspicious File Extension
2id: 089fc3d2-71e8-4763-a8a5-c97fbb0a403e
3related:
4 - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d
5 type: obsolete
6status: test
7description: Detects the execution of REGSVR32.exe with DLL files masquerading as other files
8references:
9 - https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/
10 - https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html
11 - https://guides.lib.umich.edu/c.php?g=282942&p=1885348
12 - https://harfanglab.io/insidethelab/uac-0057-pressure-ukraine-poland/
13author: Florian Roth (Nextron Systems), frack113
14date: 2021-11-29
15modified: 2025-08-27
16tags:
17 - attack.defense-evasion
18 - attack.t1218.010
19logsource:
20 category: process_creation
21 product: windows
22detection:
23 selection_img:
24 - Image|endswith: '\regsvr32.exe'
25 - OriginalFileName: 'REGSVR32.EXE'
26 selection_cli:
27 CommandLine|endswith:
28 # Add more image extensions
29 # https://twitter.com/Max_Mal_/status/1542461200797163522/photo/3
30 - '.bin'
31 - '.bmp'
32 - '.cr2'
33 - '.dat'
34 - '.eps'
35 - '.gif'
36 - '.ico'
37 - '.jpeg'
38 - '.jpg'
39 - '.log'
40 - '.nef'
41 - '.orf'
42 - '.png'
43 - '.raw'
44 - '.rtf'
45 - '.sr2'
46 - '.temp'
47 - '.tif'
48 - '.tiff'
49 - '.tmp'
50 - '.txt'
51 condition: all of selection_*
52falsepositives:
53 - Unlikely
54level: high
References
Related rules
- Potential Regsvr32 Commandline Flag Anomaly
- Suspicious Microsoft Office Child Process
- DNS Query Request By Regsvr32.EXE
- HTML Help HH.EXE Suspicious Child Process
- Network Connection Initiated By Regsvr32.EXE