cscli scenarios install sigmahq/proc_creation_win_regsvr32_susp_exec_path_21type: trigger2name: sigmahq/proc_creation_win_regsvr32_susp_exec_path_23description: |4 Detects execution of regsvr32 where the DLL is located in a highly suspicious locations5filter: |6 (evt.Meta.service == 'sysmon' && evt.Parsed.EventID == '1') && ((evt.Parsed.Image endsWith '\\regsvr32.exe' || evt.Parsed.OriginalFileName == 'REGSVR32.EXE') && (evt.Parsed.CommandLine contains ':\\PerfLogs\\' || evt.Parsed.CommandLine contains ':\\Temp\\' || evt.Parsed.CommandLine contains '\\Windows\\Registration\\CRMLog' || evt.Parsed.CommandLine contains '\\Windows\\System32\\com\\dmp\\' || evt.Parsed.CommandLine contains '\\Windows\\System32\\FxsTmp\\' || evt.Parsed.CommandLine contains '\\Windows\\System32\\Microsoft\\Crypto\\RSA\\MachineKeys\\' || evt.Parsed.CommandLine contains '\\Windows\\System32\\spool\\drivers\\color\\' || evt.Parsed.CommandLine contains '\\Windows\\System32\\spool\\PRINTERS\\' || evt.Parsed.CommandLine contains '\\Windows\\System32\\spool\\SERVERS\\' || evt.Parsed.CommandLine contains '\\Windows\\System32\\Tasks_Migrated\\' || evt.Parsed.CommandLine contains '\\Windows\\System32\\Tasks\\Microsoft\\Windows\\SyncCenter\\' || evt.Parsed.CommandLine contains '\\Windows\\SysWOW64\\com\\dmp\\' || evt.Parsed.CommandLine contains '\\Windows\\SysWOW64\\FxsTmp\\' || evt.Parsed.CommandLine contains '\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\PLA\\System\\' || evt.Parsed.CommandLine contains '\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\SyncCenter\\' || evt.Parsed.CommandLine contains '\\Windows\\Tasks\\' || evt.Parsed.CommandLine contains '\\Windows\\Tracing\\' || (evt.Parsed.CommandLine contains ' "C:\\' || evt.Parsed.CommandLine contains ' C:\\' || evt.Parsed.CommandLine contains ' \'C:\\' || evt.Parsed.CommandLine contains 'D:\\') && not (evt.Parsed.CommandLine contains 'C:\\Program Files (x86)\\' || evt.Parsed.CommandLine contains 'C:\\Program Files\\' || evt.Parsed.CommandLine contains 'C:\\ProgramData\\' || evt.Parsed.CommandLine contains 'C:\\Users\\' || evt.Parsed.CommandLine contains ' C:\\Windows\\' || evt.Parsed.CommandLine contains ' "C:\\Windows\\' || evt.Parsed.CommandLine contains ' \'C:\\Windows\\')) && not (evt.Parsed.CommandLine == '' || evt.Parsed.CommandLine == ''))7blackhole: 2m8#status: test9labels:10 service: windows11 confidence: 112 spoofable: 013 classification:14 - attack.t1218.0101516 label: "Regsvr32 Execution From Highly Suspicious Location"17 behavior : "windows:audit"18 remediation: false1920scope:21 type: ParentProcessId22 expression: evt.Parsed.ParentProcessId2324