regsvr32 Anomalies

rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml

@@ -0,0 +1,21 @@
+title: Regsvr32 Anomaly
+status: experimental
+description: Detects various anomalies in relation to regsvr32.exe
+author: Florian Roth
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection1:
+        EventID: 1
+        Image: '*\regsvr32.exe'
+        CommandLine: '*\Temp\*'
+    selection2:
+        EventID: 1
+        Image: '*\regsvr32.exe'
+        ParentImage: '*\powershell.exe'
+    condition: any of them
+falsepositives:
+    - Unknown
+level: high
+