Regsvr32 DLL Execution With Uncommon Extension

Severity: medium
Author: Florian Roth (Nextron Systems)
Source: upstream

Detects a "regsvr32" execution where the DLL doesn't contain a common file extension.

MITRE ATT&CK coverage

Tactic	Techniques
Persistence	`T1574` Hijack Execution Flow
Privilege Escalation	`T1574` Hijack Execution Flow
Defense Evasion	`T1574` Hijack Execution Flow

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation

Stages and Predicates

Stage 1: `selection`

or:
Image|endswith: '\regsvr32.exe'
OriginalFileName: REGSVR32.EXE

Stage 2: `not 1 of filter_main_*`

or:
CommandLine: ''
CommandLine: null
CommandLine|contains: .ax
CommandLine|contains: .cpl
CommandLine|contains: .dll
CommandLine|contains: .ocx

Stage 3: `not 1 of filter_optional_*`

or:
CommandLine|contains: .bav
CommandLine|contains: .ppl

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	match	`.ax` `.bav` `.cpl` corpus 4 (sigma 4) `.dll` corpus 15 (sigma 15) `.ocx` `.ppl`
`Image`	ends_with	`\regsvr32.exe` corpus 57 (sigma 57)
`OriginalFileName`	eq	`REGSVR32.EXE` corpus 10 (sigma 10)