Scripting/CommandLine Process Spawned Regsvr32

calendar Apr 1, 2024 · attack.defense_evasion attack.t1218.010  ·
Share on: linkedin copy

Detects various command line and scripting engines/processes such as "PowerShell", "Wscript", "Cmd", etc. spawning a "regsvr32" instance.

Sigma rule (View on GitHub)

 1title: Scripting/CommandLine Process Spawned Regsvr32
 2id: ab37a6ec-6068-432b-a64e-2c7bf95b1d22
 3related:
 4    - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d
 5      type: obsoletes
 6status: test
 7description: Detects various command line and scripting engines/processes such as "PowerShell", "Wscript", "Cmd", etc. spawning a "regsvr32" instance.
 8references:
 9    - https://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html
10    - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/
11author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
12date: 2023/05/26
13tags:
14    - attack.defense_evasion
15    - attack.t1218.010
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection:
21        ParentImage|endswith:
22            - '\cmd.exe'
23            - '\cscript.exe'
24            - '\mshta.exe'
25            - '\powershell_ise.exe'
26            - '\powershell.exe'
27            - '\pwsh.exe'
28            - '\wscript.exe'
29        Image|endswith: '\regsvr32.exe'
30    filter_main_rpcproxy:
31        ParentImage: C:\Windows\System32\cmd.exe
32        CommandLine|endswith: ' /s C:\Windows\System32\RpcProxy\RpcProxy.dll'
33    condition: selection and not 1 of filter_main_*
34falsepositives:
35    - Legitimate ".bat", ".hta", ".ps1" or ".vbs" scripts leverage legitimately often. Apply additional filter and exclusions as necessary
36    - Some legitimate Windows services
37level: medium # Can be reduced to low if you experience a ton of FP

References

Related rules

to-top