limited false positives with the query restricted to specified paths. add more world writeable paths as tuning continues.

Techniques

Sample rules

Suspicious Regsvr32 Register Suspicious Path

source: splunk
technicques:
- T1218
- T1218.010

Description

Adversaries may abuse Regsvr32.exe to proxy execution of malicious code by using non-standard file extensions to load DLLs. Upon investigating, look for network connections to remote destinations (internal or external). Review additional parrallel processes and child processes for additional activity.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_regsvr32` Processes.process IN ("*\\appdata\\*", "*\\programdata\\*","*\\windows\\temp\\*") NOT (Processes.process IN ("*.dll*", "*.ax*", "*.ocx*")) by Processes.dest Processes.user  Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `suspicious_regsvr32_register_suspicious_path_filter`