← Back to Explore
sigmamediumHunting
Regsvr32 Execution From Potential Suspicious Location
Detects execution of regsvr32 where the DLL is located in a potentially suspicious location.
Detection Query
selection_img:
- Image|endswith: \regsvr32.exe
- OriginalFileName: REGSVR32.EXE
selection_cli:
CommandLine|contains:
- :\ProgramData\
- :\Temp\
- :\Users\Public\
- :\Windows\Temp\
- \AppData\Local\Temp\
- \AppData\Roaming\
condition: all of selection_*
Author
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
Created
2023-05-26
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.defense-evasionattack.t1218.010
Raw Content
title: Regsvr32 Execution From Potential Suspicious Location
id: 9525dc73-0327-438c-8c04-13c0e037e9da
related:
- id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d
type: obsolete
status: test
description: Detects execution of regsvr32 where the DLL is located in a potentially suspicious location.
references:
- https://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html
- https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-26
tags:
- attack.defense-evasion
- attack.t1218.010
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\regsvr32.exe'
- OriginalFileName: 'REGSVR32.EXE'
selection_cli:
CommandLine|contains:
- ':\ProgramData\'
- ':\Temp\'
- ':\Users\Public\'
- ':\Windows\Temp\'
- '\AppData\Local\Temp\'
- '\AppData\Roaming\'
condition: all of selection_*
falsepositives:
- Some installers might execute "regsvr32" with DLLs located in %TEMP% or in %PROGRAMDATA%. Apply additional filters if necessary.
level: medium