Hieu Tran
46 lines
1.3 KiB
YAML
46 lines
1.3 KiB
YAML
title: Suspicious Regsvr32 Execution With Image Extension
|
|
id: 089fc3d2-71e8-4763-a8a5-c97fbb0a403e
|
|
related:
|
|
- id: 4aa6040b-3f28-44e3-a769-9208e5feb5ec
|
|
type: similar
|
|
status: experimental
|
|
description: Detects the execution of REGSVR32.exe with DLL files masquerading as image files
|
|
references:
|
|
- https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/
|
|
- https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html
|
|
- https://guides.lib.umich.edu/c.php?g=282942&p=1885348
|
|
author: frack113
|
|
date: 2021/11/29
|
|
modified: 2022/10/31
|
|
tags:
|
|
- attack.defense_evasion
|
|
- attack.t1218.010
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection_img:
|
|
- Image|endswith: '\regsvr32.exe'
|
|
- OriginalFileName: '\REGSVR32.EXE'
|
|
selection_cli:
|
|
CommandLine|endswith:
|
|
# Add more image extensions
|
|
- '.bmp'
|
|
- '.cr2'
|
|
- '.eps'
|
|
- '.gif'
|
|
- '.ico'
|
|
- '.jpeg'
|
|
- '.jpg'
|
|
- '.nef'
|
|
- '.orf'
|
|
- '.png'
|
|
- '.raw'
|
|
- '.sr2'
|
|
- '.tif'
|
|
- '.tiff'
|
|
condition: all of selection_*
|
|
falsepositives:
|
|
- Unknown
|
|
level: high
|