SigmaHQ/rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml

title: Regsvr32 Anomaly
status: experimental
description: Detects various anomalies in relation to regsvr32.exe
author: Florian Roth
reference: https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html
logsource:
    product: windows
    service: sysmon
detection:
    # Loads from Temp folder
    selection1:
        EventID: 1
        Image: '*\regsvr32.exe'
        CommandLine: '*\Temp\*'
    # Loaded by powershell
    selection2:
        EventID: 1
        Image: '*\regsvr32.exe'
        ParentImage: '*\powershell.exe'
    # Regsvr32.exe used with http(s) address
    selection3:
        EventID: 1
        Image: '*\regsvr32.exe'
        Commandline: 
            - '*/i:http* scrobj.dll'
            - '*/i:ftp* scrobj.dll'
    # Regsvr32.exe spawned wscript.exe process - indicator of COM scriptlet
    # https://www.hybrid-analysis.com/sample/f34da6d84a9663928606894fbc494cd9bf2f03c98cf0c775462802558d3a50ef?environmentId=100
    selection4:
        EventID: 1
        Image: '*\wscript.exe'
        ParentImage: '*\regsvr32.exe'
    condition: selection1 or selection2 or selection3 or selection4
falsepositives:
    - Unknown
level: high
regsvr32 Anomalies 2017-04-16 10:02:29 +00:00			`title: Regsvr32 Anomaly`
			`status: experimental`
			`description: Detects various anomalies in relation to regsvr32.exe`
			`author: Florian Roth`
Added reference to regsvr32 rule 2017-08-29 06:45:29 +00:00			`reference: https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html`
regsvr32 Anomalies 2017-04-16 10:02:29 +00:00			`logsource:`
			`product: windows`
			`service: sysmon`
			`detection:`
Regsvr32.exe anomalies (bugfix and new selection) 2017-06-07 09:43:25 +00:00			`# Loads from Temp folder`
regsvr32 Anomalies 2017-04-16 10:02:29 +00:00			`selection1:`
			`EventID: 1`
			`Image: '*\regsvr32.exe'`
			`CommandLine: '\Temp\'`
Regsvr32.exe anomalies (bugfix and new selection) 2017-06-07 09:43:25 +00:00			`# Loaded by powershell`
regsvr32 Anomalies 2017-04-16 10:02:29 +00:00			`selection2:`
			`EventID: 1`
			`Image: '*\regsvr32.exe'`
			`ParentImage: '*\powershell.exe'`
Regsvr32.exe anomalies (bugfix and new selection) 2017-06-07 09:43:25 +00:00			`# Regsvr32.exe used with http(s) address`
			`selection3:`
			`EventID: 1`
			`Image: '*\regsvr32.exe'`
Improved regsvr32.exe whitelisting bypass rule thanks to Nick Carr https://twitter.com/ItsReallyNick/status/872409920938946560 2017-06-07 11:46:36 +00:00			`Commandline:`
			`- '/i:http scrobj.dll'`
			`- '/i:ftp scrobj.dll'`
Update sysmon_susp_regsvr32_anomalies Rule to detect COM scriptlet invocation when wscript.exe is spawned from regsvr32.exe. example: https://www.hybrid-analysis.com/sample/f34da6d84a9663928606894fbc494cd9bf2f03c98cf0c775462802558d3a50ef?environmentId=100 SCT script code: var objShell = new ActiveXObject("WScript.shell"); 2017-08-29 10:21:47 +00:00			`# Regsvr32.exe spawned wscript.exe process - indicator of COM scriptlet`
			`# https://www.hybrid-analysis.com/sample/f34da6d84a9663928606894fbc494cd9bf2f03c98cf0c775462802558d3a50ef?environmentId=100`
			`selection4:`
			`EventID: 1`
			`Image: '*\wscript.exe'`
			`ParentImage: '*\regsvr32.exe'`
			`condition: selection1 or selection2 or selection3 or selection4`
regsvr32 Anomalies 2017-04-16 10:02:29 +00:00			`falsepositives:`
			`- Unknown`
			`level: high`

Improved regsvr32 whitelisting bypass rule 2017-06-07 10:02:55 +00:00