From a5c3f424c1425d3416c39e95bde0807464a99ea9 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Sun, 16 Apr 2017 12:02:29 +0200
Subject: [PATCH] regsvr32 Anomalies

---
 .../sysmon/sysmon_susp_regsvr32_anomalies.yml | 21 +++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml

diff --git a/rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml b/rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml
new file mode 100644
index 000000000..7cf7f1465
--- /dev/null
+++ b/rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml
@@ -0,0 +1,21 @@
+title: Regsvr32 Anomaly
+status: experimental
+description: Detects various anomalies in relation to regsvr32.exe
+author: Florian Roth
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection1:
+        EventID: 1
+        Image: '*\regsvr32.exe'
+        CommandLine: '*\Temp\*'
+    selection2:
+        EventID: 1
+        Image: '*\regsvr32.exe'
+        ParentImage: '*\powershell.exe'
+    condition: any of them
+falsepositives:
+    - Unknown
+level: high
+