Regsvr32.exe
johnwunder opened this issue · comments
Generic Regsvr32.exe
Regsvr32 can be used to execute arbitrary code in the context of a Windows signed binary, which can be used to bypass application whitelisting. This analytic looks for suspicious usage of the tool. It's not likely that you'll get millions of hits, but it does occur during normal activity so some form of baselining would be necessary for this to be an alerting analytic. Alternatively, it can be used for hunt by looking for new or anomalous DLLs manually.
ATT&CK Coverage
Technique | Level of Coverage |
---|---|
Regsvr32.exe | High |
Implementations
Main Pattern (no baselining)
This just looks for all executions of regsvr32.exe that have a parent of regsvr32.exe but are not regsvr32.exe themselves (which happens). This will have a very high FP rate, but likely not on the order of millions.
Language: Splunk
Data Model: Sysmon
index=__your_sysmon_data__ EventCode=1 regsvr32.exe
| search ParentImage="*regsvr32.exe" AND Image!="*regsvr32.exe*"
Identify new items since last month
This uses the same logic as above, but adds lightweight baselining by ignoring all results that also showed up in the previous 30 days (it runs over 1 day).
Language: Splunk
Data Model: Sysmon
index=__your_sysmon_data__ earliest=-d@d latest=now() EventCode=1 regsvr32.exe | search ParentImage="*regsvr32.exe" AND Image!="*regsvr32.exe*"
| search NOT [
search index=client earliest=-60d@d latest=-30d@d EventCode=1 regsvr32.exe
| search ParentImage="*regsvr32.exe" AND Image!="*regsvr32.exe*"
| dedup CommandLine | fields CommandLine
]
Test Cases
Any of the Atomic Red Team tests for regsvr32.exe should trigger this.
False Positives
- WerFault (Windows Error Reporting) is a very common false positive.
Data Model Mappings
Object | Action | Field |
---|---|---|
process | create | exe |
process | create | parent_exe |
process | create | command_line |
References
As usual, credit to Roberto Rodriguez and the ThreatHunter Playbook.
Developer Certificate of Origin
DCO signed-off-by: John Wunder jwunder@mitre.org
I've also looked into this one a bit - here are a few more Splunk implementations that may be useful. These all have the chance for false positives, though at a lower rate than the Main Pattern.
Regsvr loading files with uncommon extensions
eventtype="sysmon" EventCode=1 (Image="C:\\Windows\\System32\\regsvr32.exe" OR Image="C:\\Windows\\SysWOW64\\regsvr32.exe") AND NOT "/U" AND NOT "C:\\Program Files" AND CommandLine!="*regsvr32*C:\\Windows*" AND CommandLine!="*regsvr32*C:\\WINDOWS*" AND CommandLine!="*/s*C:\\WINDOWS*"| rex field=CommandLine ".*\s(.*\\\\)?(?<TargetFile>.*\.\w+)" | rex field=TargetFile ".*\.(?<TargetFileExt>\w+)"|search TargetFileExt!=dll AND TargetFileExt!=DLL AND TargetFileExt!=ocx AND TargetFileExt!=OCX AND TargetFileExt!=cpl|stats values(ComputerName) as "Computer Name" values(CommandLine) as "Command Line" count(TargetFile) as FileCount by TargetFile
Regsvr loading unique files (only seen once during the time period)
eventtype="sysmon" EventCode=1 (Image="C:\\Windows\\System32\\regsvr32.exe" OR Image="C:\\Windows\\SysWOW64\\regsvr32.exe") AND NOT "/U" AND NOT "C:\\Program Files" AND CommandLine!="*regsvr32*C:\\Windows*" AND CommandLine!="*regsvr32*C:\\WINDOWS*" AND CommandLine!="*/s*C:\\WINDOWS*" AND CurrentDirectory!="C:\\Windows*" AND CurrentDirectory!="C:\\windows*" AND CurrentDirectory!="C:\\WINDOWS*"| rex field=CommandLine ".*\s(.*\\\\)?(?<TargetFile>.*\.\w+)" | rex field=TargetFile ".*\.(?<TargetFileExt>\w+)"|stats values(ComputerName) as "Computer Name" values(CommandLine) as "Command Line" count(TargetFile) as FileCount by TargetFile|where FileCount=1
Regsvr32 loading unsigned images (fast)
eventtype="sysmon" EventCode=7 (Image="C:\\Windows\\System32\\regsvr32.exe" OR Image="C:\\Windows\\SysWOW64\\regsvr32.exe") Signed=false ImageLoaded!="C:\\Program Files*" ImageLoaded!="C:\\Windows\\*"|stats values(ComputerName) as "Computer Name" count(ImageLoaded) as ImageLoadedCount by ImageLoaded
Regsvr32 spawning child processes
eventtype="sysmon" EventCode=1 (ParentImage="C:\\Windows\\System32\\regsvr32.exe" OR ParentImage="C:\\Windows\\SysWOW64\\regsvr32.exe") AND Image!="C:\\Windows\\System32\\regsvr32.exe" AND Image!="C:\\Windows\\SysWOW64\\regsvr32.exe" AND Image!="C:\\WINDOWS\\System32\\regsvr32.exe" AND Image!="C:\\WINDOWS\\SysWOW64\\regsvr32.exe" AND Image!="C:\\Windows\\SysWOW64\\WerFault.exe" AND Image!="C:\\Windows\\System32\\wevtutil.exe" AND Image!="C:\\Windows\\System32\\WerFault.exe"|stats values(ComputerName) as "Computer Name" values(ParentCommandLine) as "Parent Command Line" count(Image) as ImageCount by Image
Added in bf2f60b