Detectionmediumtest
Regsvr32 DLL Execution With Uncommon Extension
Detects a "regsvr32" execution where the DLL doesn't contain a common file extension.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Florian Roth (Nextron Systems)Created Wed Jul 17Updated Wed May 2450919691-7302-437f-8e10-1fe088afa145windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic6 selectors
detection:
selection:
- Image|endswith: '\regsvr32.exe'
- OriginalFileName: 'REGSVR32.EXE'
filter_main_legit_ext:
CommandLine|contains:
# Note: For better accuracy you might not want to use contains
- '.ax'
- '.cpl'
- '.dll' # Covers ".dll.mui"
- '.ocx'
filter_optional_pascal:
CommandLine|contains: '.ppl'
filter_optional_avg:
CommandLine|contains: '.bav'
filter_main_null_4688:
CommandLine: null
filter_main_empty_4688:
CommandLine: ''
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*False Positives
Other legitimate extensions currently not in the list either from third party or specific Windows components.
References
MITRE ATT&CK
Rule Metadata
Rule ID
50919691-7302-437f-8e10-1fe088afa145
Status
test
Level
medium
Type
Detection
Created
Wed Jul 17
Modified
Wed May 24
Path
rules/windows/process_creation/proc_creation_win_regsvr32_uncommon_extension.yml
Raw Tags
attack.privilege-escalationattack.persistenceattack.defense-evasionattack.t1574attack.execution