Techniques
Sample rules
Scripting/CommandLine Process Spawned Regsvr32
- source: sigma
- technicques:
- t1218
- t1218.010
Description
Detects various command line and scripting engines/processes such as “PowerShell”, “Wscript”, “Cmd”, etc. spawning a “regsvr32” instance.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_rpcproxy:
CommandLine|endswith: ' /s C:\Windows\System32\RpcProxy\RpcProxy.dll'
ParentImage: C:\Windows\System32\cmd.exe
selection:
Image|endswith: \regsvr32.exe
ParentImage|endswith:
- \cmd.exe
- \cscript.exe
- \mshta.exe
- \powershell_ise.exe
- \powershell.exe
- \pwsh.exe
- \wscript.exe