Detects a network connection initiated by "Regsvr32.exe"
Detects potential EmpireMonkey APT activity
Detects RunDLL32/RegSvr32 loading an unsigned or untrusted DLL.
Adversaries often abuse those programs to proxy execution of malicious code.
Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).
Detects suspicious and uncommon child processes of WmiPrvSE
Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)
Detects REGSVR32.exe to execute DLL hosted on remote shares
Detects DNS queries initiated by "Regsvr32.exe"
Detects potential BlueMushroom DLL loading activity via regsvr32 from AppData Local
Detects execution of regsvr32 where the DLL is located in a potentially suspicious location.
Detects various command line and scripting engines/processes such as "PowerShell", "Wscript", "Cmd", etc. spawning a "regsvr32" instance.
Detects execution of regsvr32 where the DLL is located in a highly suspicious locations
Detects potentially suspicious child processes of "regsvr32.exe".
Detects a potential command line flag anomaly related to "regsvr32" in which the "/i" flag is used without the "/n" which should be uncommon.
Detects regsvr32 execution to download and install DLLs located remotely where the address is an IP address.
Detects regsvr32 execution to download/install/register new DLLs that are hosted on Web or FTP servers.
Detects the execution of REGSVR32.exe with DLL files masquerading as other files
This rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice.
Detects a suspicious child process of a Microsoft HTML Help (HH.exe)
Detects a suspicious execution of a Microsoft HTML Help (HH.exe)