Regsvr32 DLL Execution With Uncommon Extension
Detects a "regsvr32" execution where the DLL doesn't contain a common file extension.
Sigma rule (View on GitHub)
1title: Regsvr32 DLL Execution With Uncommon Extension
2id: 50919691-7302-437f-8e10-1fe088afa145
3status: test
4description: Detects a "regsvr32" execution where the DLL doesn't contain a common file extension.
5references:
6 - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/
7author: Florian Roth (Nextron Systems)
8date: 2019-07-17
9modified: 2023-05-24
10tags:
11 - attack.defense-evasion
12 - attack.t1574
13 - attack.execution
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 - Image|endswith: '\regsvr32.exe'
20 - OriginalFileName: 'REGSVR32.EXE'
21 filter_main_legit_ext:
22 CommandLine|contains:
23 # Note: For better accuracy you might not want to use contains
24 - '.ax'
25 - '.cpl'
26 - '.dll' # Covers ".dll.mui"
27 - '.ocx'
28 filter_optional_pascal:
29 CommandLine|contains: '.ppl'
30 filter_optional_avg:
31 CommandLine|contains: '.bav'
32 filter_main_null_4688:
33 CommandLine: null
34 filter_main_empty_4688:
35 CommandLine: ''
36 condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
37falsepositives:
38 - Other legitimate extensions currently not in the list either from third party or specific Windows components.
39level: medium
References
-
Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.
Read More
Related rules
- AMSI Bypass Pattern Assembly GetType
- APT29 2018 Phishing Campaign CommandLine Indicators
- Add Insecure Download Source To Winget
- Add New Download Source To Winget
- Arbitrary File Download Via MSOHTMED.EXE