unlikely, but can rarely occur. apply additional filters accordingly.

t1218
t1218.010
windows
sigma

Techniques

t1218
t1218.010

Sample rules

Potentially Suspicious Child Process Of Regsvr32

source: sigma
technicques:
- t1218
- t1218.010

Description

Detects potentially suspicious child processes of “regsvr32.exe”.

Detection logic

condition: selection and not 1 of filter_main_*
filter_main_werfault:
  CommandLine|contains: ' -u -p '
  Image|endswith: \werfault.exe
selection:
  Image|endswith:
  - \calc.exe
  - \cscript.exe
  - \explorer.exe
  - \mshta.exe
  - \net.exe
  - \net1.exe
  - \nltest.exe
  - \notepad.exe
  - \powershell.exe
  - \pwsh.exe
  - \reg.exe
  - \schtasks.exe
  - \werfault.exe
  - \wscript.exe
  ParentImage|endswith: \regsvr32.exe