Regsvr32 DLL Execution With Suspicious File Extension

calendar Sep 22, 2025 · attack.defense-evasion attack.t1218.010  ·
Share on: linkedin copy

Detects the execution of REGSVR32.exe with DLL files masquerading as other files

Sigma rule (View on GitHub)

 1title: Regsvr32 DLL Execution With Suspicious File Extension
 2id: 089fc3d2-71e8-4763-a8a5-c97fbb0a403e
 3related:
 4    - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d
 5      type: obsolete
 6status: test
 7description: Detects the execution of REGSVR32.exe with DLL files masquerading as other files
 8references:
 9    - https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/
10    - https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html
11    - https://guides.lib.umich.edu/c.php?g=282942&p=1885348
12    - https://harfanglab.io/insidethelab/uac-0057-pressure-ukraine-poland/
13author: Florian Roth (Nextron Systems), frack113
14date: 2021-11-29
15modified: 2025-08-27
16tags:
17    - attack.defense-evasion
18    - attack.t1218.010
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection_img:
24        - Image|endswith: '\regsvr32.exe'
25        - OriginalFileName: 'REGSVR32.EXE'
26    selection_cli:
27        CommandLine|endswith:
28            # Add more image extensions
29            # https://twitter.com/Max_Mal_/status/1542461200797163522/photo/3
30            - '.bin'
31            - '.bmp'
32            - '.cr2'
33            - '.dat'
34            - '.eps'
35            - '.gif'
36            - '.ico'
37            - '.jpeg'
38            - '.jpg'
39            - '.log'
40            - '.nef'
41            - '.orf'
42            - '.png'
43            - '.raw'
44            - '.rtf'
45            - '.sr2'
46            - '.temp'
47            - '.tif'
48            - '.tiff'
49            - '.tmp'
50            - '.txt'
51    condition: all of selection_*
52falsepositives:
53    - Unlikely
54level: high

References

  • CONTInuing the Bazar Ransomware Story

    In this report we will discuss a case from early August where we witnessed threat actors utilizing BazarLoader and Cobalt Strike to accomplish their mission of encrypting systems with Conti ransomw…


    Read More

  • Threat hunting in large datasets by clustering security events

    By Tiago Pereira. * Security tools can produce very large amounts of data that even the most sophisticated organizations may struggle to manage. * Big data processing tools, such as spark, can be a powerful tool in the arsenal of security teams. * This post walks through threat hunting on large datasets by


    Read More

  • Research Guides: All About Images: Image File Formats

    Focuses on many common image questions in regards to image resolutions, resizing images, file types, vector and raster images, scanning, saving and more. Overview of common image files such as JPG, GIF, and TIFF.


    Read More

  • UAC-0057 keeps applying pressure on Ukraine and Poland

    Identifier: TRR250801. Summary In late July, we identified two clusters of malicious archives that were leveraged to target Ukraine and Poland since April 2025, and that we could link together from their similarities. Resulting infection chains are aimed at collecting information about compromised systems and deploying implants for further exploitation. The toolset we analyzed notably […]


    Read More

Related rules

to-top