title: Regsvr32 Anomaly status: experimental description: Detects various anomalies in relation to regsvr32.exe author: Florian Roth references: - https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html tags: - attack.t1117 - attack.defense_evasion - attack.execution logsource: product: windows service: sysmon detection: # Loads from Temp folder selection1: EventID: 1 Image: '*\regsvr32.exe' CommandLine: '*\Temp\*' # Loaded by powershell selection2: EventID: 1 Image: '*\regsvr32.exe' ParentImage: '*\powershell.exe' # Regsvr32.exe used with http(s) address selection3: EventID: 1 Image: '*\regsvr32.exe' CommandLine: - '*/i:http* scrobj.dll' - '*/i:ftp* scrobj.dll' # Regsvr32.exe spawned wscript.exe process - indicator of COM scriptlet # https://www.hybrid-analysis.com/sample/f34da6d84a9663928606894fbc494cd9bf2f03c98cf0c775462802558d3a50ef?environmentId=100 selection4: EventID: 1 Image: '*\wscript.exe' ParentImage: '*\regsvr32.exe' # https://twitter.com/danielhbohannon/status/974321840385531904 selection5: EventID: 1 Image: '*\EXCEL.EXE' CommandLine: '*..\..\..\Windows\System32\regsvr32.exe *' condition: 1 of them fields: - CommandLine - ParentCommandLine falsepositives: - Unknown level: high