valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 10:13:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
c73a9e4164
SigmaHQ/rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml

52 lines
1.4 KiB
YAML
Raw Normal View History

regsvr32 Anomalies
2017-04-16 10:02:29 +00:00
title: Regsvr32 Anomaly
status: experimental
description: Detects various anomalies in relation to regsvr32.exe
author: Florian Roth
Change All "str" references to be "list"to mach schema update
2018-01-27 23:24:16 +00:00
references:
- https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html
added a few mitre attack tags to windows sysmon rules
2018-07-27 04:15:07 +00:00
tags:
- attack.t1117
- attack.defense_evasion
- attack.execution
regsvr32 Anomalies
2017-04-16 10:02:29 +00:00
logsource:
product: windows
service: sysmon
detection:
Regsvr32.exe anomalies (bugfix and new selection)
2017-06-07 09:43:25 +00:00
# Loads from Temp folder
regsvr32 Anomalies
2017-04-16 10:02:29 +00:00
selection1:
EventID: 1
Image: '*\regsvr32.exe'
CommandLine: '*\Temp\*'
Regsvr32.exe anomalies (bugfix and new selection)
2017-06-07 09:43:25 +00:00
# Loaded by powershell
regsvr32 Anomalies
2017-04-16 10:02:29 +00:00
selection2:
EventID: 1
Image: '*\regsvr32.exe'
ParentImage: '*\powershell.exe'
Regsvr32.exe anomalies (bugfix and new selection)
2017-06-07 09:43:25 +00:00
# Regsvr32.exe used with http(s) address
selection3:
EventID: 1
Image: '*\regsvr32.exe'
Fieldname case: Commandline -> CommandLine
2018-03-25 21:08:28 +00:00
CommandLine:
Improved regsvr32.exe whitelisting bypass rule thanks to Nick Carr https://twitter.com/ItsReallyNick/status/872409920938946560
2017-06-07 11:46:36 +00:00
- '*/i:http* scrobj.dll'
- '*/i:ftp* scrobj.dll'
Update sysmon_susp_regsvr32_anomalies Rule to detect COM scriptlet invocation when wscript.exe is spawned from regsvr32.exe. example: https://www.hybrid-analysis.com/sample/f34da6d84a9663928606894fbc494cd9bf2f03c98cf0c775462802558d3a50ef?environmentId=100 SCT script code: var objShell = new ActiveXObject("WScript.shell");
2017-08-29 10:21:47 +00:00
# Regsvr32.exe spawned wscript.exe process - indicator of COM scriptlet
# https://www.hybrid-analysis.com/sample/f34da6d84a9663928606894fbc494cd9bf2f03c98cf0c775462802558d3a50ef?environmentId=100
selection4:
EventID: 1
Image: '*\wscript.exe'
ParentImage: '*\regsvr32.exe'
Several rule updates
2018-03-19 15:36:15 +00:00
# https://twitter.com/danielhbohannon/status/974321840385531904
selection5:
EventID: 1
Image: '*\EXCEL.EXE'
CommandLine: '*..\..\..\Windows\System32\regsvr32.exe *'
Simplified rule conditions with new condition constructs
2018-03-06 22:14:43 +00:00
condition: 1 of them
Added field names to first rules
2017-09-12 21:54:04 +00:00
fields:
- CommandLine
- ParentCommandLine
regsvr32 Anomalies
2017-04-16 10:02:29 +00:00
falsepositives:
- Unknown
level: high
Improved regsvr32 whitelisting bypass rule
2017-06-07 10:02:55 +00:00
Reference in New Issue Copy Permalink