Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Regsvr32.exe #11

Closed
johnwunder opened this issue Apr 3, 2019 · 2 comments
Closed

Regsvr32.exe #11

johnwunder opened this issue Apr 3, 2019 · 2 comments

Comments

@johnwunder
Copy link
Contributor

johnwunder commented Apr 3, 2019
edited

Generic Regsvr32.exe

Regsvr32 can be used to execute arbitrary code in the context of a Windows signed binary, which can be used to bypass application whitelisting. This analytic looks for suspicious usage of the tool. It's not likely that you'll get millions of hits, but it does occur during normal activity so some form of baselining would be necessary for this to be an alerting analytic. Alternatively, it can be used for hunt by looking for new or anomalous DLLs manually.

ATT&CK Coverage

Technique Level of Coverage
Regsvr32.exe High

Implementations

Main Pattern (no baselining)

This just looks for all executions of regsvr32.exe that have a parent of regsvr32.exe but are not regsvr32.exe themselves (which happens). This will have a very high FP rate, but likely not on the order of millions.

Language: Splunk
Data Model: Sysmon

index=__your_sysmon_data__ EventCode=1 regsvr32.exe
  | search ParentImage="*regsvr32.exe" AND Image!="*regsvr32.exe*"

Identify new items since last month

This uses the same logic as above, but adds lightweight baselining by ignoring all results that also showed up in the previous 30 days (it runs over 1 day).

Language: Splunk
Data Model: Sysmon

index=__your_sysmon_data__ earliest=-d@d latest=now() EventCode=1 regsvr32.exe | search ParentImage="*regsvr32.exe" AND Image!="*regsvr32.exe*"
| search NOT [
  search index=client earliest=-60d@d latest=-30d@d EventCode=1 regsvr32.exe
  | search ParentImage="*regsvr32.exe" AND Image!="*regsvr32.exe*"
  | dedup CommandLine | fields CommandLine
]

Test Cases

Any of the Atomic Red Team tests for regsvr32.exe should trigger this.

False Positives

  • WerFault (Windows Error Reporting) is a very common false positive.

Data Model Mappings

Object Action Field
process create exe
process create parent_exe
process create command_line

References

As usual, credit to Roberto Rodriguez and the ThreatHunter Playbook.

Developer Certificate of Origin

DCO signed-off-by: John Wunder jwunder@mitre.org
@ikiril01
Copy link
Collaborator

ikiril01 commented Apr 3, 2019
edited

I've also looked into this one a bit - here are a few more Splunk implementations that may be useful. These all have the chance for false positives, though at a lower rate than the Main Pattern.

Regsvr loading files with uncommon extensions

eventtype="sysmon" EventCode=1 (Image="C:\\Windows\\System32\\regsvr32.exe" OR Image="C:\\Windows\\SysWOW64\\regsvr32.exe") AND NOT "/U" AND NOT "C:\\Program Files" AND CommandLine!="*regsvr32*C:\\Windows*" AND CommandLine!="*regsvr32*C:\\WINDOWS*" AND CommandLine!="*/s*C:\\WINDOWS*"| rex field=CommandLine ".*\s(.*\\\\)?(?<TargetFile>.*\.\w+)" | rex field=TargetFile ".*\.(?<TargetFileExt>\w+)"|search TargetFileExt!=dll AND TargetFileExt!=DLL AND TargetFileExt!=ocx AND TargetFileExt!=OCX AND TargetFileExt!=cpl|stats values(ComputerName) as "Computer Name" values(CommandLine) as "Command Line" count(TargetFile) as FileCount by TargetFile

Regsvr loading unique files (only seen once during the time period)

eventtype="sysmon" EventCode=1 (Image="C:\\Windows\\System32\\regsvr32.exe" OR Image="C:\\Windows\\SysWOW64\\regsvr32.exe") AND NOT "/U" AND NOT "C:\\Program Files" AND CommandLine!="*regsvr32*C:\\Windows*" AND CommandLine!="*regsvr32*C:\\WINDOWS*" AND CommandLine!="*/s*C:\\WINDOWS*" AND CurrentDirectory!="C:\\Windows*" AND CurrentDirectory!="C:\\windows*" AND CurrentDirectory!="C:\\WINDOWS*"| rex field=CommandLine ".*\s(.*\\\\)?(?<TargetFile>.*\.\w+)" | rex field=TargetFile ".*\.(?<TargetFileExt>\w+)"|stats values(ComputerName) as "Computer Name" values(CommandLine) as "Command Line" count(TargetFile) as FileCount by TargetFile|where FileCount=1

Regsvr32 loading unsigned images (fast)

eventtype="sysmon" EventCode=7 (Image="C:\\Windows\\System32\\regsvr32.exe" OR Image="C:\\Windows\\SysWOW64\\regsvr32.exe") Signed=false ImageLoaded!="C:\\Program Files*" ImageLoaded!="C:\\Windows\\*"|stats values(ComputerName) as "Computer Name" count(ImageLoaded) as ImageLoadedCount by ImageLoaded

Regsvr32 spawning child processes

eventtype="sysmon" EventCode=1 (ParentImage="C:\\Windows\\System32\\regsvr32.exe" OR ParentImage="C:\\Windows\\SysWOW64\\regsvr32.exe") AND Image!="C:\\Windows\\System32\\regsvr32.exe" AND Image!="C:\\Windows\\SysWOW64\\regsvr32.exe" AND Image!="C:\\WINDOWS\\System32\\regsvr32.exe" AND Image!="C:\\WINDOWS\\SysWOW64\\regsvr32.exe" AND Image!="C:\\Windows\\SysWOW64\\WerFault.exe" AND Image!="C:\\Windows\\System32\\wevtutil.exe" AND Image!="C:\\Windows\\System32\\WerFault.exe"|stats values(ComputerName) as "Computer Name" values(ParentCommandLine) as "Parent Command Line" count(Image) as ImageCount by Image

@ikiril01
Copy link
Collaborator

Added in bf2f60b

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@johnwunder @ikiril01