valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
fdcba84fc8
SigmaHQ/rules/windows/sysmon/sysmon_regsvr32_network_activity.yml
Thomas Patzke 373424f145 Rule fixes 
Made tests pass the new CI tests. Added further allowed lower case words
in rule test.
2020-02-20 23:00:16 +01:00

35 lines
913 B
YAML
Raw Blame History

title: Regsvr32 Network Activity
id: c7e91a02-d771-4a6d-a700-42587e0b1095
description: Detects network connections and DNS queries initiated by Regsvr32.exe
references:
- https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/
- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md
tags:
- attack.execution
- attack.defense_evasion
- attack.t1117
author: Dmitriy Lifanov, oscd.community
status: experimental
date: 2019/10/25
modified: 2019/11/10
logsource:
product: windows
service: sysmon
detection:
selection:
EventID:
- 3
- 22
Image|endswith: '\regsvr32.exe'
condition: selection
fields:
- ComputerName
- User
- Image
- DestinationIp
- DestinationPort
falsepositives:
- unknown
level: high
Reference in New Issue View Git Blame Copy Permalink