Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Potentially Suspicious Regsvr32 HTTP/FTP Pattern

Detects regsvr32 execution to download/install/register new DLLs that are hosted on Web or FTP servers.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Florian Roth (Nextron Systems)Created Wed May 24Updated Fri May 26867356ee-9352-41c9-a8f2-1be690d78216windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic3 selectors
detection:
    selection_img:
        - Image|endswith: '\regsvr32.exe'
        - OriginalFileName: 'REGSVR32.EXE'
    selection_flag:
        CommandLine|contains:
            - ' /i'
            - ' -i'
    selection_protocol:
        CommandLine|contains:
            - 'ftp'
            - 'http'
    condition: all of selection_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
twitter.com
2
Resolving title…
twitter.com
3
Resolving title…
lolbas-project.github.io
MITRE ATT&CK

Sub-techniques

T1218.010 · Regsvr32
Related Rules
Similar

8e2b24c9-4add-46a0-b4bb-0057b4e6187d

Rule not found
Rule Metadata
Rule ID
867356ee-9352-41c9-a8f2-1be690d78216
Status
test
Level
medium
Type
Detection
Created
Wed May 24
Modified
Fri May 26
Author
Florian Roth (Nextron Systems)
Path
rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml
Raw Tags
attack.defense-evasionattack.t1218.010
View on GitHub