Regsvr32 DLL Execution With Uncommon Extension

calendar Oct 23, 2025 · attack.privilege-escalation attack.persistence attack.defense-evasion attack.t1574 attack.execution  ·
Share on: linkedin copy

Detects a "regsvr32" execution where the DLL doesn't contain a common file extension.

Sigma rule (View on GitHub)

 1title: Regsvr32 DLL Execution With Uncommon Extension
 2id: 50919691-7302-437f-8e10-1fe088afa145
 3status: test
 4description: Detects a "regsvr32" execution where the DLL doesn't contain a common file extension.
 5references:
 6    - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/
 7author: Florian Roth (Nextron Systems)
 8date: 2019-07-17
 9modified: 2023-05-24
10tags:
11    - attack.privilege-escalation
12    - attack.persistence
13    - attack.defense-evasion
14    - attack.t1574
15    - attack.execution
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection:
21        - Image|endswith: '\regsvr32.exe'
22        - OriginalFileName: 'REGSVR32.EXE'
23    filter_main_legit_ext:
24        CommandLine|contains:
25            # Note: For better accuracy you might not want to use contains
26            - '.ax'
27            - '.cpl'
28            - '.dll' # Covers ".dll.mui"
29            - '.ocx'
30    filter_optional_pascal:
31        CommandLine|contains: '.ppl'
32    filter_optional_avg:
33        CommandLine|contains: '.bav'
34    filter_main_null_4688:
35        CommandLine: null
36    filter_main_empty_4688:
37        CommandLine: ''
38    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
39falsepositives:
40    - Other legitimate extensions currently not in the list either from third party or specific Windows components.
41level: medium

References

Related rules

to-top