LoFP / some installers might execute \"regsvr32\" with dlls located in %temp% or in %programdata%. apply additional filters if necessary.

Techniques

Sample rules

Regsvr32 Execution From Potential Suspicious Location

source: sigma
technicques:
- t1218
- t1218.010

Description

Detects execution of regsvr32 where the DLL is located in a potentially suspicious location.

Detection logic

condition: all of selection_*
selection_cli:
  CommandLine|contains:
  - :\ProgramData\
  - :\Temp\
  - :\Users\Public\
  - :\Windows\Temp\
  - \AppData\Local\Temp\
  - \AppData\Roaming\
selection_img:
- Image|endswith: \regsvr32.exe
- OriginalFileName: REGSVR32.EXE