← Back to Explore
sigmahighHunting
Regsvr32 DLL Execution With Suspicious File Extension
Detects the execution of REGSVR32.exe with DLL files masquerading as other files
Detection Query
selection_img:
- Image|endswith: \regsvr32.exe
- OriginalFileName: REGSVR32.EXE
selection_cli:
CommandLine|endswith:
- .bin
- .bmp
- .cr2
- .dat
- .eps
- .gif
- .ico
- .jpeg
- .jpg
- .log
- .nef
- .orf
- .png
- .raw
- .rtf
- .sr2
- .temp
- .tif
- .tiff
- .tmp
- .txt
condition: all of selection_*
Author
Florian Roth (Nextron Systems), frack113
Created
2021-11-29
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.defense-evasionattack.t1218.010
Raw Content
title: Regsvr32 DLL Execution With Suspicious File Extension
id: 089fc3d2-71e8-4763-a8a5-c97fbb0a403e
related:
- id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d
type: obsolete
status: test
description: Detects the execution of REGSVR32.exe with DLL files masquerading as other files
references:
- https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/
- https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html
- https://guides.lib.umich.edu/c.php?g=282942&p=1885348
- https://harfanglab.io/insidethelab/uac-0057-pressure-ukraine-poland/
author: Florian Roth (Nextron Systems), frack113
date: 2021-11-29
modified: 2025-08-27
tags:
- attack.defense-evasion
- attack.t1218.010
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\regsvr32.exe'
- OriginalFileName: 'REGSVR32.EXE'
selection_cli:
CommandLine|endswith:
# Add more image extensions
# https://twitter.com/Max_Mal_/status/1542461200797163522/photo/3
- '.bin'
- '.bmp'
- '.cr2'
- '.dat'
- '.eps'
- '.gif'
- '.ico'
- '.jpeg'
- '.jpg'
- '.log'
- '.nef'
- '.orf'
- '.png'
- '.raw'
- '.rtf'
- '.sr2'
- '.temp'
- '.tif'
- '.tiff'
- '.tmp'
- '.txt'
condition: all of selection_*
falsepositives:
- Unlikely
level: high