From 53c25969ab392f5accdfdb6e013fa65c3eb718ab Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@nextron-systems.com>
Date: Sat, 17 Jul 2021 11:20:05 +0200
Subject: [PATCH] added more legitimate extensions to regsvr32 rule

---
 rules/windows/process_creation/win_susp_regsvr32_no_dll.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/win_susp_regsvr32_no_dll.yml b/rules/windows/process_creation/win_susp_regsvr32_no_dll.yml
index 54e5d1bc0..50c46fd78 100644
--- a/rules/windows/process_creation/win_susp_regsvr32_no_dll.yml
+++ b/rules/windows/process_creation/win_susp_regsvr32_no_dll.yml
@@ -16,7 +16,11 @@ detection:
     selection:
         ParentImage|endswith: '\regsvr32.exe'
     filter:
-        CommandLine|contains: '.dll'
+        CommandLine|contains: 
+            - '.dll'
+            - '.ocx'
+            - '.cpl'
+            - '.ax'
     condition: selection and not filter
 fields:
     - CommandLine