Detectionhightest
Potentially Suspicious Child Process Of Regsvr32
Detects potentially suspicious child processes of "regsvr32.exe".
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
elhoim, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)Created Thu May 05Updated Fri May 266f0947a4-1c5e-4e0d-8ac7-53159b8f23cawindows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic2 selectors
detection:
selection:
ParentImage|endswith: '\regsvr32.exe'
Image|endswith:
- '\calc.exe'
- '\cscript.exe'
- '\explorer.exe'
- '\mshta.exe'
- '\net.exe'
- '\net1.exe'
- '\nltest.exe'
- '\notepad.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\reg.exe'
- '\schtasks.exe'
- '\werfault.exe'
- '\wscript.exe'
filter_main_werfault:
Image|endswith: '\werfault.exe'
CommandLine|contains: ' -u -p '
condition: selection and not 1 of filter_main_*False Positives
Unlikely, but can rarely occur. Apply additional filters accordingly.
MITRE ATT&CK
Tactics
Sub-techniques
Related Rules
Similar
Rule not found8e2b24c9-4add-46a0-b4bb-0057b4e6187d
Rule Metadata
Rule ID
6f0947a4-1c5e-4e0d-8ac7-53159b8f23ca
Status
test
Level
high
Type
Detection
Created
Thu May 05
Modified
Fri May 26
Path
rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml
Raw Tags
attack.defense-evasionattack.t1218.010