detection.wiki

Detection rules › Sigma

Regsvr32 DLL Execution With Suspicious File Extension

Severity
high
Author
Florian Roth (Nextron Systems), frack113
Source
upstream

Detects the execution of REGSVR32.exe with DLL files masquerading as other files

MITRE ATT&CK coverage

TacticTechniques
Defense EvasionT1218.010 System Binary Proxy Execution: Regsvr32

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation

Stages and Predicates

Stage 1: all of selection_img

or:
Image|endswith: '\regsvr32.exe'
OriginalFileName: REGSVR32.EXE

Stage 2: all of selection_cli

or:
CommandLine|endswith: .bin
CommandLine|endswith: .bmp
CommandLine|endswith: .cr2
CommandLine|endswith: .dat
CommandLine|endswith: .eps
CommandLine|endswith: .gif
CommandLine|endswith: .ico
CommandLine|endswith: .jpeg
CommandLine|endswith: .jpg
CommandLine|endswith: .log
CommandLine|endswith: .nef
CommandLine|endswith: .orf
CommandLine|endswith: .png
CommandLine|endswith: .raw
CommandLine|endswith: .rtf
CommandLine|endswith: .sr2
CommandLine|endswith: .temp
CommandLine|endswith: .tif
CommandLine|endswith: .tiff
CommandLine|endswith: .tmp
CommandLine|endswith: .txt

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLineends_with
  • .bin
  • .bmp
  • .cr2
  • .dat corpus 7 (sigma 7)
  • .eps
  • .gif corpus 4 (sigma 4)
  • .ico
  • .jpeg corpus 4 (sigma 4)
  • .jpg corpus 2 (sigma 2)
  • .log corpus 3 (sigma 3)
  • .nef
  • .orf
  • .png corpus 4 (sigma 4)
  • .raw
  • .rtf
  • .sr2
  • .temp corpus 2 (sigma 2)
  • .tif
  • .tiff
  • .tmp corpus 2 (sigma 2)
  • .txt corpus 3 (sigma 3)
Imageends_with
  • \regsvr32.exe corpus 57 (sigma 57)
OriginalFileNameeq
  • REGSVR32.EXE corpus 10 (sigma 10)