feat: first batch update for regsvr32

2023-05-25 02:13:00 +02:00
parent f5c503a13d
commit bf80eace81
8 changed files with 116 additions and 117 deletions
@@ -1,13 +1,13 @@
-title: Regsvr32 Anomaly
+title: Regsvr32 Execution Anomaly
 id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d
 status: experimental
-description: Detects various anomalies in relation to regsvr32.exe
+description: Detects various anomalies or uncommon execution trees related "regsvr32.exe"
 references:
-    - https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html
+    - https://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html
    - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/
 author: Florian Roth (Nextron Systems), oscd.community, Tim Shelton
 date: 2019/01/16
-modified: 2023/02/26
+modified: 2023/05/24
 tags:
    - attack.defense_evasion
    - attack.t1218.010
@@ -19,68 +19,26 @@ logsource:
 detection:
    selection1:
        Image|endswith: '\regsvr32.exe'
-        CommandLine|contains: '\Temp\'
+        CommandLine|contains:
+            - '\Temp\'
+            - '\AppData\Local'
+            - 'C:\Users\Public'
    selection2:
        Image|endswith: '\regsvr32.exe'
        ParentImage|endswith:
+            - '\cmd.exe'
+            - '\mshta.exe'
+            - '\powershell_ise.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
-            - '\powershell_ise.exe'
-    selection3:
-        Image|endswith: '\regsvr32.exe'
-        ParentImage|endswith: '\cmd.exe'
-    selection4a:
-        Image|endswith: '\regsvr32.exe'
-        CommandLine|contains|all:
-            - '/i:'
-            - 'http'
-        CommandLine|endswith: 'scrobj.dll'
-    selection4b:
-        Image|endswith: '\regsvr32.exe'
-        CommandLine|contains|all:
-            - '/i:'
-            - 'ftp'
-        CommandLine|endswith: 'scrobj.dll'
-    selection5:
-        Image|endswith: 
-            - '\cscript.exe'
-            - '\wscript.exe'
-        ParentImage|endswith: '\regsvr32.exe'
    selection6:
        Image|endswith: '\EXCEL.EXE'
        CommandLine|contains: '..\..\..\Windows\System32\regsvr32.exe '
-    selection7:
-        ParentImage|endswith: '\mshta.exe'
-        Image|endswith: '\regsvr32.exe'
-    selection8:
-        Image|endswith: '\regsvr32.exe'
-        CommandLine|contains:
-            - '\AppData\Local'
-            - 'C:\Users\Public'
-    selection9: # suspicious extensions https://twitter.com/Max_Mal_/status/1542461200797163522/photo/3
-        Image|endswith: '\regsvr32.exe'
-        CommandLine|endswith:
-            - '.jpg'
-            - '.jpeg'
-            - '.png'
-            - '.gif'
-            - '.bin'
-            - '.tmp'
-            - '.temp'
-            - '.txt'
    filter1:
        CommandLine|contains:
            - '\AppData\Local\Microsoft\Teams'
            - '\AppData\Local\WebEx\WebEx64\Meetings\atucfobj.dll'
-    filter2:
-        ParentImage: 'C:\Program Files\Box\Box\FS\streem.exe'
-        CommandLine|contains: '\Program Files\Box\Box\Temp\'
-    filter_legitimate:
-        CommandLine|endswith: '/s C:\Windows\System32\RpcProxy\RpcProxy.dll'
    condition: 1 of selection* and not 1 of filter*
-fields:
-    - CommandLine
-    - ParentCommandLine
 falsepositives:
    - Unknown
 level: high
@@ -1,12 +1,12 @@
-title: Regsvr32 Flags Anomaly
+title: Potentially Regsvr32 Commandline Flag Anomaly
 id: b236190c-1c61-41e9-84b3-3fe03f6d76b0
 status: test
-description: Detects a flag anomaly in which regsvr32.exe uses a /i flag without using a /n flag at the same time
+description: Detects a potential command line flag anomaly related to "regsvr32" in which "/i" flag is used without the "/n" which should be uncommon.
 references:
    - https://twitter.com/sbousseaden/status/1282441816986484737?s=12
 author: Florian Roth (Nextron Systems)
 date: 2019/07/13
-modified: 2021/11/27
+modified: 2023/05/24
 tags:
    - attack.defense_evasion
    - attack.t1218.010
@@ -17,12 +17,9 @@ detection:
    selection:
        Image|endswith: '\regsvr32.exe'
        CommandLine|contains: ' /i:'
-    filter:
+    filter_main_flag:
        CommandLine|contains: ' /n '
-    condition: selection and not filter
-fields:
-    - CommandLine
-    - ParentCommandLine
+    condition: selection and not 1 of filter_main_*
 falsepositives:
    - Unknown
-level: high
+level: medium
@@ -1,13 +1,14 @@
 title: Suspicious Regsvr32 HTTP IP Pattern
 id: 2dd2c217-bf68-437a-b57c-fe9fd01d5de8
 status: experimental
-description: Detects a certain command line flag combination used by regsvr32 when used to download and register a DLL from a remote address which uses HTTP (not HTTPS) and a IP address and not FQDN
+description: Detects a certain command line flag combination used by regsvr32 when used to download and register a DLL from a remote address and a IP address.
 references:
-    - https://twitter.com/mrd0x/status/1461041276514623491c19-ps
+    - https://twitter.com/mrd0x/status/1461041276514623491
    - https://twitter.com/tccontre18/status/1480950986650832903
+    - https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/
 author: Florian Roth (Nextron Systems)
 date: 2022/01/11
-modified: 2023/01/11
+modified: 2023/05/24
 tags:
    - attack.defense_evasion
    - attack.t1218.010
@@ -16,7 +17,7 @@ logsource:
    product: windows
 detection:
    selection_flags:
-        CommandLine|contains|all:
+        CommandLine|contains:
            - ' /s'
            - ' /u'
    selection_ip:
@@ -41,5 +42,5 @@ detection:
            - ' /i:https://9'
    condition: all of selection_*
 falsepositives:
-    - FQDNs that start with a number
+    - FQDNs that start with a number such as "7-Zip"
 level: high
@@ -0,0 +1,30 @@
+title: 
+id: 867356ee-9352-41c9-a8f2-1be690d78216
+status: experimental
+description: Detects 
+references:
+    - https://twitter.com/mrd0x/status/1461041276514623491
+    - https://twitter.com/tccontre18/status/1480950986650832903
+    - https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/
+author: Florian Roth (Nextron Systems)
+date: 2023/05/24
+tags:
+    - attack.defense_evasion
+    - attack.t1218.010
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\regsvr32.exe'
+        - OriginalFileName: 'REGSVR32.EXE'
+    selection_flag:
+        CommandLine|contains: ' /i'
+    selection_protocol:
+        CommandLine|contains:
+            - 'ftp'
+            - 'http'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: medium
@@ -1,38 +0,0 @@
-title: Regsvr32 Command Line Without DLL
-id: 50919691-7302-437f-8e10-1fe088afa145
-status: test
-description: Detects a regsvr.exe execution that doesn't contain a DLL in the command line
-references:
-    - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/
-author: Florian Roth (Nextron Systems)
-date: 2019/07/17
-modified: 2022/12/25
-tags:
-    - attack.defense_evasion
-    - attack.t1574
-    - attack.execution
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image|endswith: '\regsvr32.exe'
-    filter:
-        CommandLine|contains:
-            - '.dll'
-            - '.ocx'
-            - '.cpl'
-            - '.ax'
-            - '.bav'
-            - '.ppl'
-    filter_null1_for_4688:
-        CommandLine: null
-    filter_null2_for_4688:
-        CommandLine: ''
-    condition: selection and not filter and not filter_null1_for_4688 and not filter_null2_for_4688
-falsepositives:
-    - Unknown
-fields:
-    - CommandLine
-    - ParentCommandLine
-level: high
@@ -1,13 +1,13 @@
-title: Regsvr32 Spawning Explorer
+title: Suspicious Child Process Of Regsvr32
 id: 6f0947a4-1c5e-4e0d-8ac7-53159b8f23ca
 status: experimental
-description: Detects "regsvr32.exe" spawning "explorer.exe", which is very uncommon.
+description: Detects suspicious child processes of "regsvr32.exe".
 references:
    - https://redcanary.com/blog/intelligence-insights-april-2022/
    - https://www.echotrail.io/insights/search/regsvr32.exe
-author: elhoim
+author: elhoim, Florian Roth (Nextron Systems)
 date: 2022/05/05
-modified: 2022/07/28
+modified: 2023/05/24
 tags:
    - attack.defense_evasion
    - attack.t1218.010
@@ -17,8 +17,14 @@ logsource:
 detection:
    selection:
        ParentImage|endswith: '\regsvr32.exe'
-        Image|endswith: '\explorer.exe'
+        Image|endswith:
+            - '\calc.exe'
+            - '\cscript.exe'
+            - '\explorer.exe'
+            - '\mshta.exe'
+            - '\notepad.exe'
+            - '\wscript.exe'
    condition: selection
 falsepositives:
-    - Unknown
+    - Unlikely
 level: high
@@ -1,17 +1,17 @@
-title: Suspicious Regsvr32 Execution With Image Extension
+title: Regsvr32 Execution With Suspicious File Extension
 id: 089fc3d2-71e8-4763-a8a5-c97fbb0a403e
 related:
    - id: 4aa6040b-3f28-44e3-a769-9208e5feb5ec
      type: similar
 status: experimental
-description: Detects the execution of REGSVR32.exe with DLL files masquerading as image files
+description: Detects the execution of REGSVR32.exe with DLL files masquerading as other files
 references:
    - https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/
    - https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html
    - https://guides.lib.umich.edu/c.php?g=282942&p=1885348
-author: frack113
+author: Florian Roth (Nextron Systems), frack113
 date: 2021/11/29
-modified: 2022/10/31
+modified: 2023/05/24
 tags:
    - attack.defense_evasion
    - attack.t1218.010
@@ -21,12 +21,15 @@ logsource:
 detection:
    selection_img:
        - Image|endswith: '\regsvr32.exe'
-        - OriginalFileName: '\REGSVR32.EXE'
+        - OriginalFileName: 'REGSVR32.EXE'
    selection_cli:
        CommandLine|endswith:
            # Add more image extensions
+            # https://twitter.com/Max_Mal_/status/1542461200797163522/photo/3
+            - '.bin'
            - '.bmp'
            - '.cr2'
+            - '.dat'
            - '.eps'
            - '.gif'
            - '.ico'
@@ -37,9 +40,12 @@ detection:
            - '.png'
            - '.raw'
            - '.sr2'
+            - '.temp'
            - '.tif'
            - '.tiff'
+            - '.tmp'
+            - '.txt'
    condition: all of selection_*
 falsepositives:
-    - Unknown
+    - Unlikely
 level: high
@@ -0,0 +1,39 @@
+title: Regsvr32 DLL Execution With Uncommon Extension
+id: 50919691-7302-437f-8e10-1fe088afa145
+status: test
+description: Detects a "regsvr32" execution where the file doesn't contain a common file extension used.
+references:
+    - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/
+author: Florian Roth (Nextron Systems)
+date: 2019/07/17
+modified: 2023/05/24
+tags:
+    - attack.defense_evasion
+    - attack.t1574
+    - attack.execution
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        - Image|endswith: '\regsvr32.exe'
+        - OriginalFileName: 'REGSVR32.EXE'
+    filter_main_legit_ext:
+        CommandLine|contains:
+            # Note: For better accuracy you might not want to use contains
+            - '.ax'
+            - '.cpl'
+            - '.dll' # Covers ".dll.mui"
+            - '.ocx'
+    filter_optional_pascal:
+        CommandLine|contains: '.ppl'
+    filter_optional_avg:
+        CommandLine|contains: '.bav'
+    filter_main_null_4688:
+        CommandLine: null
+    filter_main_empty_4688:
+        CommandLine: ''
+    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
+falsepositives:
+    - Other legit extensions currently not in the list either from third party or specific windows component
+level: medium