SigmaHQ/rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml
2018-03-25 23:08:28 +02:00

48 lines
1.4 KiB
YAML

title: Regsvr32 Anomaly
status: experimental
description: Detects various anomalies in relation to regsvr32.exe
author: Florian Roth
references:
- https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html
logsource:
product: windows
service: sysmon
detection:
# Loads from Temp folder
selection1:
EventID: 1
Image: '*\regsvr32.exe'
CommandLine: '*\Temp\*'
# Loaded by powershell
selection2:
EventID: 1
Image: '*\regsvr32.exe'
ParentImage: '*\powershell.exe'
# Regsvr32.exe used with http(s) address
selection3:
EventID: 1
Image: '*\regsvr32.exe'
CommandLine:
- '*/i:http* scrobj.dll'
- '*/i:ftp* scrobj.dll'
# Regsvr32.exe spawned wscript.exe process - indicator of COM scriptlet
# https://www.hybrid-analysis.com/sample/f34da6d84a9663928606894fbc494cd9bf2f03c98cf0c775462802558d3a50ef?environmentId=100
selection4:
EventID: 1
Image: '*\wscript.exe'
ParentImage: '*\regsvr32.exe'
# https://twitter.com/danielhbohannon/status/974321840385531904
selection5:
EventID: 1
Image: '*\EXCEL.EXE'
CommandLine: '*..\..\..\Windows\System32\regsvr32.exe *'
condition: 1 of them
fields:
- CommandLine
- ParentCommandLine
falsepositives:
- Unknown
level: high