-
-
Notifications
You must be signed in to change notification settings - Fork 2.6k
Expand file tree
/
Copy pathproc_creation_win_regsvr32_susp_parent.yml
More file actions
37 lines (37 loc) · 1.49 KB
/
proc_creation_win_regsvr32_susp_parent.yml
File metadata and controls
37 lines (37 loc) · 1.49 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
title: Scripting/CommandLine Process Spawned Regsvr32
id: ab37a6ec-6068-432b-a64e-2c7bf95b1d22
related:
- id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d
type: obsolete
status: test
description: Detects various command line and scripting engines/processes such as "PowerShell", "Wscript", "Cmd", etc. spawning a "regsvr32" instance.
references:
- https://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html
- https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-26
tags:
- attack.stealth
- attack.t1218.010
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wscript.exe'
Image|endswith: '\regsvr32.exe'
filter_main_rpcproxy:
ParentImage: C:\Windows\System32\cmd.exe
CommandLine|endswith: ' /s C:\Windows\System32\RpcProxy\RpcProxy.dll'
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate ".bat", ".hta", ".ps1" or ".vbs" scripts leverage legitimately often. Apply additional filter and exclusions as necessary
- Some legitimate Windows services
level: medium # Can be reduced to low if you experience a ton of FP