SigmaHQ/rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml

42 lines
1.2 KiB
YAML

title: Regsvr32 Anomaly
status: experimental
description: Detects various anomalies in relation to regsvr32.exe
author: Florian Roth
references: https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html
logsource:
product: windows
service: sysmon
detection:
# Loads from Temp folder
selection1:
EventID: 1
Image: '*\regsvr32.exe'
CommandLine: '*\Temp\*'
# Loaded by powershell
selection2:
EventID: 1
Image: '*\regsvr32.exe'
ParentImage: '*\powershell.exe'
# Regsvr32.exe used with http(s) address
selection3:
EventID: 1
Image: '*\regsvr32.exe'
Commandline:
- '*/i:http* scrobj.dll'
- '*/i:ftp* scrobj.dll'
# Regsvr32.exe spawned wscript.exe process - indicator of COM scriptlet
# https://www.hybrid-analysis.com/sample/f34da6d84a9663928606894fbc494cd9bf2f03c98cf0c775462802558d3a50ef?environmentId=100
selection4:
EventID: 1
Image: '*\wscript.exe'
ParentImage: '*\regsvr32.exe'
condition: selection1 or selection2 or selection3 or selection4
fields:
- CommandLine
- ParentCommandLine
falsepositives:
- Unknown
level: high