title: Regsvr32 Anomaly
status: experimental
description: Detects various anomalies in relation to regsvr32.exe
author: Florian Roth
references:
    - https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html
logsource:
    product: windows
    service: sysmon
detection:
    # Loads from Temp folder
    selection1:
        EventID: 1
        Image: '*\regsvr32.exe'
        CommandLine: '*\Temp\*'
    # Loaded by powershell
    selection2:
        EventID: 1
        Image: '*\regsvr32.exe'
        ParentImage: '*\powershell.exe'
    # Regsvr32.exe used with http(s) address
    selection3:
        EventID: 1
        Image: '*\regsvr32.exe'
        Commandline: 
            - '*/i:http* scrobj.dll'
            - '*/i:ftp* scrobj.dll'
    # Regsvr32.exe spawned wscript.exe process - indicator of COM scriptlet
    # https://www.hybrid-analysis.com/sample/f34da6d84a9663928606894fbc494cd9bf2f03c98cf0c775462802558d3a50ef?environmentId=100
    selection4:
        EventID: 1
        Image: '*\wscript.exe'
        ParentImage: '*\regsvr32.exe'
    condition: selection1 or selection2 or selection3 or selection4
fields:
    - CommandLine
    - ParentCommandLine
falsepositives:
    - Unknown
level: high