Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Regsvr32 Execution From Highly Suspicious Location

Detects execution of regsvr32 where the DLL is located in a highly suspicious locations

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Nasreddine Bencherchali (Nextron Systems)Created Fri May 26327ff235-94eb-4f06-b9de-aaee571324bewindows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic6 selectors
detection:
    selection_img:
        - Image|endswith: '\regsvr32.exe'
        - OriginalFileName: 'REGSVR32.EXE'
    selection_path_1:
        CommandLine|contains:
            - ':\PerfLogs\'
            - ':\Temp\'
            - '\Windows\Registration\CRMLog'
            - '\Windows\System32\com\dmp\'
            - '\Windows\System32\FxsTmp\'
            - '\Windows\System32\Microsoft\Crypto\RSA\MachineKeys\'
            - '\Windows\System32\spool\drivers\color\'
            - '\Windows\System32\spool\PRINTERS\'
            - '\Windows\System32\spool\SERVERS\'
            - '\Windows\System32\Tasks_Migrated\'
            - '\Windows\System32\Tasks\Microsoft\Windows\SyncCenter\'
            - '\Windows\SysWOW64\com\dmp\'
            - '\Windows\SysWOW64\FxsTmp\'
            - '\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System\'
            - '\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter\'
            - '\Windows\Tasks\'
            - '\Windows\Tracing\'
    selection_path_2:
        CommandLine|contains:
            # This is to avoid collisions with CLI starting with "C:\"
            - ' "C:\'
            - ' C:\'
            - " 'C:\\"
            - 'D:\'
    selection_exclude_known_dirs:
        CommandLine|contains:
            # Note: add additional locations that are related to third party applications
            - 'C:\Program Files (x86)\'
            - 'C:\Program Files\'
            - 'C:\ProgramData\'
            - 'C:\Users\'
            # Note: The space added here are to avoid collisions with the "regsvr32" binary full path
            - ' C:\Windows\'
            - ' "C:\Windows\'
            - " 'C:\\Windows\\"
    filter_main_empty:
        CommandLine: ''
    filter_main_null:
        CommandLine: null
    condition: selection_img and (selection_path_1 or (selection_path_2 and not selection_exclude_known_dirs)) and not 1 of filter_main_*
False Positives
Unlikely

False positives are unlikely for most environments. High confidence detection.

References
1
Resolving title…
Internal Research
MITRE ATT&CK

Sub-techniques

T1218.010 · Regsvr32
Rule Metadata
Rule ID
327ff235-94eb-4f06-b9de-aaee571324be
Status
test
Level
high
Type
Detection
Created
Fri May 26
Author
Nasreddine Bencherchali (Nextron Systems)
Path
rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml
Raw Tags
attack.defense-evasionattack.t1218.010
View on GitHub