other legitimate extensions currently not in the list either from third party or specific windows components.

t1574
windows
sigma

Techniques

t1574

Sample rules

Regsvr32 DLL Execution With Uncommon Extension

source: sigma
technicques:
- t1574

Description

Detects a “regsvr32” execution where the DLL doesn’t contain a common file extension.

Detection logic

condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_empty_4688:
  CommandLine: ''
filter_main_legit_ext:
  CommandLine|contains:
  - .ax
  - .cpl
  - .dll
  - .ocx
filter_main_null_4688:
  CommandLine: null
filter_optional_avg:
  CommandLine|contains: .bav
filter_optional_pascal:
  CommandLine|contains: .ppl
selection:
- Image|endswith: \regsvr32.exe
- OriginalFileName: REGSVR32.EXE