LoFP LoFP / legitimate \".bat\", \".hta\", \".ps1\" or \".vbs\" scripts leverage legitimately often. apply additional filter and exclusions as necessary

Techniques

Sample rules

Scripting/CommandLine Process Spawned Regsvr32

Description

Detects various command line and scripting engines/processes such as “PowerShell”, “Wscript”, “Cmd”, etc. spawning a “regsvr32” instance.

Detection logic

condition: selection and not 1 of filter_main_*
filter_main_rpcproxy:
  CommandLine|endswith: ' /s C:\Windows\System32\RpcProxy\RpcProxy.dll'
  ParentImage: C:\Windows\System32\cmd.exe
selection:
  Image|endswith: \regsvr32.exe
  ParentImage|endswith:
  - \cmd.exe
  - \cscript.exe
  - \mshta.exe
  - \powershell_ise.exe
  - \powershell.exe
  - \pwsh.exe
  - \wscript.exe