Detection rules › Splunk
Detect Regsvcs with Network Connection
The following analytic identifies instances of Regsvcs.exe establishing a network connection to a public IP address, excluding private IP ranges. This detection leverages Sysmon EventID 3 logs to monitor network connections initiated by Regsvcs.exe. This activity is significant as Regsvcs.exe, a legitimate Microsoft-signed binary, can be exploited to bypass application control mechanisms and establish remote Command and Control (C2) channels. If confirmed malicious, this behavior could allow an attacker to escalate privileges, persist in the environment, and exfiltrate sensitive data. Immediate investigation and remediation are recommended.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Defense Evasion | T1218.009 System Binary Proxy Execution: Regsvcs/Regasm |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 3 | Network connection |
Stages and Predicates
Stage 1: search
search NOT dest_ip IN ("10.0.0.0/8", "100.64.0.0/10", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.0.8/32", "192.0.0.9/32", "192.0.2.0/24", "192.168.0.0/16", "192.175.48.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.88.99.0/24", "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "224.0.0.0/4", "240.0.0.0/4") EventID=3 process_name="regsvcs.exe"
Stage 2: stats
stats BY action, app, dest, dest_ip, dest_port, direction, dvc, protocol, protocol_version, src, src_ip, src_port, transport, user, vendor_product, process_name, process_exec, process_guid, process_id
Stage 3: search
search
Stage 4: search
search
Stage 5: search
search `macro`
Exclusions
Top-level NOT(...) conjuncts — predicates this rule actively suppresses.
| Stage | Field | Kind | Excluded values |
|---|---|---|---|
| 1 | dest_ip | in | "10.0.0.0/8", "100.64.0.0/10", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.0.8/32", "192.0.0.9/32", "192.0.2.0/24", "192.168.0.0/16", "192.175.48.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.88.99.0/24", "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "224.0.0.0/4", "240.0.0.0/4" |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventID | eq |
|
process_name | eq |
|