Regsvr32 DLL Execution With Suspicious File Extension

Detects the execution of REGSVR32.exe with DLL files masquerading as other files

Sigma rule (View on GitHub)

 1title: Regsvr32 DLL Execution With Suspicious File Extension
 2id: 089fc3d2-71e8-4763-a8a5-c97fbb0a403e
 3related:
 4    - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d
 5      type: obsolete
 6status: test
 7description: Detects the execution of REGSVR32.exe with DLL files masquerading as other files
 8references:
 9    - https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/
10    - https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html
11    - https://guides.lib.umich.edu/c.php?g=282942&p=1885348
12    - https://harfanglab.io/insidethelab/uac-0057-pressure-ukraine-poland/
13author: Florian Roth (Nextron Systems), frack113
14date: 2021-11-29
15modified: 2025-08-27
16tags:
17    - attack.defense-evasion
18    - attack.t1218.010
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection_img:
24        - Image|endswith: '\regsvr32.exe'
25        - OriginalFileName: 'REGSVR32.EXE'
26    selection_cli:
27        CommandLine|endswith:
28            # Add more image extensions
29            # https://twitter.com/Max_Mal_/status/1542461200797163522/photo/3
30            - '.bin'
31            - '.bmp'
32            - '.cr2'
33            - '.dat'
34            - '.eps'
35            - '.gif'
36            - '.ico'
37            - '.jpeg'
38            - '.jpg'
39            - '.log'
40            - '.nef'
41            - '.orf'
42            - '.png'
43            - '.raw'
44            - '.rtf'
45            - '.sr2'
46            - '.temp'
47            - '.tif'
48            - '.tiff'
49            - '.tmp'
50            - '.txt'
51    condition: all of selection_*
52falsepositives:
53    - Unlikely
54level: high

References

Related rules

to-top