Potentially Suspicious Regsvr32 HTTP/FTP Pattern

Rule Info

Name
Potentially Suspicious Regsvr32 HTTP/FTP Pattern
Author
Florian Roth (Nextron Systems)
Description
Detects regsvr32 execution to download/install/register new DLLs that are hosted on Web or FTP servers.
Reference
https://twitter.com/mrd0x/status/1461041276514623491
Date
2023-05-24 00:00:00
Modified
2023-05-26 00:00:00
Id
867356ee-9352-41c9-a8f2-1be690d78216
Tags
attack.defense_evasion attack.t1218.010 DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=867356ee-9352-41c9-a8f2-1be690d78216

Rule History

Author
Title
Date
Commit
github-actions[bot]
Merge PR #4791 from @nasbench - Promote older rules status from `experimental` to `test`
2024-04-01
a8e1ecd65
Nasreddine Bencherchali
feat: update more regsvr32
2023-05-26
547b8ffa7
Nasreddine Bencherchali
feat: first batch update for regsvr32
2023-05-25
bf80eace8
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022