Hub configuration

More info

1type: trigger

2name: sigmahq/proc_creation_win_regsvr32_http_ip_pattern

3description: |

4 Detects regsvr32 execution to download and install DLLs located remotely where the address is an IP address.

5filter: |

6 (evt.Meta.service == 'sysmon' && evt.Parsed.EventID == '1') && ((evt.Parsed.Image endsWith '\\regsvr32.exe' || evt.Parsed.OriginalFileName == 'REGSVR32.EXE') && (evt.Parsed.CommandLine contains ' /i:http://1' || evt.Parsed.CommandLine contains ' /i:http://2' || evt.Parsed.CommandLine contains ' /i:http://3' || evt.Parsed.CommandLine contains ' /i:http://4' || evt.Parsed.CommandLine contains ' /i:http://5' || evt.Parsed.CommandLine contains ' /i:http://6' || evt.Parsed.CommandLine contains ' /i:http://7' || evt.Parsed.CommandLine contains ' /i:http://8' || evt.Parsed.CommandLine contains ' /i:http://9' || evt.Parsed.CommandLine contains ' /i:https://1' || evt.Parsed.CommandLine contains ' /i:https://2' || evt.Parsed.CommandLine contains ' /i:https://3' || evt.Parsed.CommandLine contains ' /i:https://4' || evt.Parsed.CommandLine contains ' /i:https://5' || evt.Parsed.CommandLine contains ' /i:https://6' || evt.Parsed.CommandLine contains ' /i:https://7' || evt.Parsed.CommandLine contains ' /i:https://8' || evt.Parsed.CommandLine contains ' /i:https://9' || evt.Parsed.CommandLine contains ' -i:http://1' || evt.Parsed.CommandLine contains ' -i:http://2' || evt.Parsed.CommandLine contains ' -i:http://3' || evt.Parsed.CommandLine contains ' -i:http://4' || evt.Parsed.CommandLine contains ' -i:http://5' || evt.Parsed.CommandLine contains ' -i:http://6' || evt.Parsed.CommandLine contains ' -i:http://7' || evt.Parsed.CommandLine contains ' -i:http://8' || evt.Parsed.CommandLine contains ' -i:http://9' || evt.Parsed.CommandLine contains ' -i:https://1' || evt.Parsed.CommandLine contains ' -i:https://2' || evt.Parsed.CommandLine contains ' -i:https://3' || evt.Parsed.CommandLine contains ' -i:https://4' || evt.Parsed.CommandLine contains ' -i:https://5' || evt.Parsed.CommandLine contains ' -i:https://6' || evt.Parsed.CommandLine contains ' -i:https://7' || evt.Parsed.CommandLine contains ' -i:https://8' || evt.Parsed.CommandLine contains ' -i:https://9'))

7blackhole: 2m

8#status: test

9labels:

10 service: windows

11 confidence: 1

12 spoofable: 0

13 classification:

14 - attack.t1218.010

16 label: "Potentially Suspicious Regsvr32 HTTP IP Pattern"

17 behavior : "windows:audit"

18 remediation: false

20scope:

21 type: ParentProcessId

22 expression: evt.Parsed.ParentProcessId

Hub configuration

« proc_creation_win_regsvr32_http_ip_pattern »v0.2 by sigmahqAttack scenarioservice:windowsspoofable:0MITRE:t1218confidence:1

« proc_creation_win_regsvr32_http_ip_pattern »
v0.2 by sigmahq
Attack scenarioservice:windowsspoofable:0MITRE:t1218confidence:1