mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-08 18:23:52 +00:00
373424f145
Made tests pass the new CI tests. Added further allowed lower case words in rule test.
35 lines
913 B
YAML
35 lines
913 B
YAML
title: Regsvr32 Network Activity
|
|
id: c7e91a02-d771-4a6d-a700-42587e0b1095
|
|
description: Detects network connections and DNS queries initiated by Regsvr32.exe
|
|
references:
|
|
- https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/
|
|
- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
|
|
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md
|
|
tags:
|
|
- attack.execution
|
|
- attack.defense_evasion
|
|
- attack.t1117
|
|
author: Dmitriy Lifanov, oscd.community
|
|
status: experimental
|
|
date: 2019/10/25
|
|
modified: 2019/11/10
|
|
logsource:
|
|
product: windows
|
|
service: sysmon
|
|
detection:
|
|
selection:
|
|
EventID:
|
|
- 3
|
|
- 22
|
|
Image|endswith: '\regsvr32.exe'
|
|
condition: selection
|
|
fields:
|
|
- ComputerName
|
|
- User
|
|
- Image
|
|
- DestinationIp
|
|
- DestinationPort
|
|
falsepositives:
|
|
- unknown
|
|
level: high
|