Regsvr32 Execution From Highly Suspicious Location

Rule Info

Name
Regsvr32 Execution From Highly Suspicious Location
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects execution of regsvr32 where the DLL is located in a highly suspicious locations
Reference
Internal Research
Date
2023-05-26 00:00:00
Modified
None
Id
327ff235-94eb-4f06-b9de-aaee571324be
Tags
attack.defense_evasion attack.t1218.010 DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=327ff235-94eb-4f06-b9de-aaee571324be

Rule History

Author
Title
Date
Commit
github-actions[bot]
Merge PR #4791 from @nasbench - Promote older rules status from `experimental` to `test`
2024-04-01
a8e1ecd65
Nasreddine Bencherchali
Update proc_creation_win_regsvr32_susp_exec_path_2.yml
2023-05-26
50e0f5854
Nasreddine Bencherchali
Update proc_creation_win_regsvr32_susp_exec_path_2.yml
2023-05-26
f8ca220ad
Nasreddine Bencherchali
fix: fp found in testing
2023-05-26
574c63ea0
Nasreddine Bencherchali
fix: issue to pass the tests
2023-05-26
00751c4c6
Nasreddine Bencherchali
feat: update more regsvr32
2023-05-26
547b8ffa7
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022