From e5ad1b2f84cc78d34d7c82010f2e52583cbcb6fb Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Wed, 7 Jun 2017 12:02:55 +0200
Subject: [PATCH] Improved regsvr32 whitelisting bypass rule

---
 rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml b/rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml
index a7d9801d4..b83932055 100644
--- a/rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml
+++ b/rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml
@@ -20,9 +20,10 @@ detection:
     selection3:
         EventID: 1
         Image: '*\regsvr32.exe'
-        Commandline: '/i:http'
+        Commandline: '*/i:http* scrobj.dll'
     condition: selection1 or selection2 or selection3
 falsepositives:
     - Unknown
 level: high
 
+