← Back to Explore
sigmahighHunting
Regsvr32 Execution From Highly Suspicious Location
Detects execution of regsvr32 where the DLL is located in a highly suspicious locations
Detection Query
selection_img:
- Image|endswith: \regsvr32.exe
- OriginalFileName: REGSVR32.EXE
selection_path_1:
CommandLine|contains:
- :\PerfLogs\
- :\Temp\
- \Windows\Registration\CRMLog
- \Windows\System32\com\dmp\
- \Windows\System32\FxsTmp\
- \Windows\System32\Microsoft\Crypto\RSA\MachineKeys\
- \Windows\System32\spool\drivers\color\
- \Windows\System32\spool\PRINTERS\
- \Windows\System32\spool\SERVERS\
- \Windows\System32\Tasks_Migrated\
- \Windows\System32\Tasks\Microsoft\Windows\SyncCenter\
- \Windows\SysWOW64\com\dmp\
- \Windows\SysWOW64\FxsTmp\
- \Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System\
- \Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter\
- \Windows\Tasks\
- \Windows\Tracing\
selection_path_2:
CommandLine|contains:
- ' "C:\'
- " C:\\"
- " 'C:\\"
- D:\
selection_exclude_known_dirs:
CommandLine|contains:
- C:\Program Files (x86)\
- C:\Program Files\
- C:\ProgramData\
- C:\Users\
- " C:\\Windows\\"
- ' "C:\Windows\'
- " 'C:\\Windows\\"
filter_main_empty:
CommandLine: ""
filter_main_null:
CommandLine: null
condition: selection_img and (selection_path_1 or (selection_path_2 and not
selection_exclude_known_dirs)) and not 1 of filter_main_*
Author
Nasreddine Bencherchali (Nextron Systems)
Created
2023-05-26
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.defense-evasionattack.t1218.010
Raw Content
title: Regsvr32 Execution From Highly Suspicious Location
id: 327ff235-94eb-4f06-b9de-aaee571324be
status: test
description: Detects execution of regsvr32 where the DLL is located in a highly suspicious locations
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-26
tags:
- attack.defense-evasion
- attack.t1218.010
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\regsvr32.exe'
- OriginalFileName: 'REGSVR32.EXE'
selection_path_1:
CommandLine|contains:
- ':\PerfLogs\'
- ':\Temp\'
- '\Windows\Registration\CRMLog'
- '\Windows\System32\com\dmp\'
- '\Windows\System32\FxsTmp\'
- '\Windows\System32\Microsoft\Crypto\RSA\MachineKeys\'
- '\Windows\System32\spool\drivers\color\'
- '\Windows\System32\spool\PRINTERS\'
- '\Windows\System32\spool\SERVERS\'
- '\Windows\System32\Tasks_Migrated\'
- '\Windows\System32\Tasks\Microsoft\Windows\SyncCenter\'
- '\Windows\SysWOW64\com\dmp\'
- '\Windows\SysWOW64\FxsTmp\'
- '\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System\'
- '\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter\'
- '\Windows\Tasks\'
- '\Windows\Tracing\'
selection_path_2:
CommandLine|contains:
# This is to avoid collisions with CLI starting with "C:\"
- ' "C:\'
- ' C:\'
- " 'C:\\"
- 'D:\'
selection_exclude_known_dirs:
CommandLine|contains:
# Note: add additional locations that are related to third party applications
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
- 'C:\ProgramData\'
- 'C:\Users\'
# Note: The space added here are to avoid collisions with the "regsvr32" binary full path
- ' C:\Windows\'
- ' "C:\Windows\'
- " 'C:\\Windows\\"
filter_main_empty:
CommandLine: ''
filter_main_null:
CommandLine: null
condition: selection_img and (selection_path_1 or (selection_path_2 and not selection_exclude_known_dirs)) and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high