Home/Sigma rules
Sigma

Sigma detection rules

4 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Severity critical high medium low all severities

Detection rules

4 shown of 4
medium
Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
Detects potentially suspicious execution of the Regasm/Regsvcs utilities from a potentially suspicious location
status test author Nasreddine Bencherchali (Nextron Systems) id cc368ed0-2411-45dc-a222-510ace303cb2
view Sigma YAML 
title: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
id: cc368ed0-2411-45dc-a222-510ace303cb2
related:
    - id: e9f8f8cc-07cc-4e81-b724-f387db9175e4
      type: derived
status: test
description: Detects potentially suspicious execution of the Regasm/Regsvcs utilities from a potentially suspicious location
references:
    - https://www.fortiguard.com/threat-signal-report/4718?s=09
    - https://lolbas-project.github.io/lolbas/Binaries/Regasm/
    - https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-25
modified: 2023-02-13
tags:
    - attack.stealth
    - attack.t1218.009
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\Regsvcs.exe'
              - '\Regasm.exe'
        - OriginalFileName:
              - 'RegSvcs.exe'
              - 'RegAsm.exe'
    selection_dir:
        CommandLine|contains:
            # Note: Add more potentially suspicious directories
            - '\AppData\Local\Temp\'
            - '\Microsoft\Windows\Start Menu\Programs\Startup\'
            - '\PerfLogs\'
            - '\Users\Public\'
            - '\Windows\Temp\'
            # - '\Desktop\'
            # - '\Downloads\'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium
medium
Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension
Detects potentially suspicious execution of the Regasm/Regsvcs utilities with an uncommon extension.
status test author Nasreddine Bencherchali (Nextron Systems) id e9f8f8cc-07cc-4e81-b724-f387db9175e4
view Sigma YAML 
title: Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension
id: e9f8f8cc-07cc-4e81-b724-f387db9175e4
related:
    - id: cc368ed0-2411-45dc-a222-510ace303cb2
      type: derived
status: test
description: Detects potentially suspicious execution of the Regasm/Regsvcs utilities with an uncommon extension.
references:
    - https://www.fortiguard.com/threat-signal-report/4718?s=09
    - https://lolbas-project.github.io/lolbas/Binaries/Regasm/
    - https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-13
tags:
    - attack.stealth
    - attack.t1218.009
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\Regsvcs.exe'
              - '\Regasm.exe'
        - OriginalFileName:
              - 'RegSvcs.exe'
              - 'RegAsm.exe'
    selection_extension:
        CommandLine|contains:
            # Note: Add more potentially uncommon extensions
            - '.dat'
            - '.gif'
            - '.jpeg'
            - '.jpg'
            - '.png'
            - '.txt'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium
medium
RegAsm.EXE Initiating Network Connection To Public IP
Detects "RegAsm.exe" initiating a network connection to public IP adresses
status test author frack113 id 0531e43a-d77d-47c2-b89f-5fe50321c805
view Sigma YAML 
title: RegAsm.EXE Initiating Network Connection To Public IP
id: 0531e43a-d77d-47c2-b89f-5fe50321c805
status: test
description: Detects "RegAsm.exe" initiating a network connection to public IP adresses
references:
    - https://app.any.run/tasks/ec207948-4916-47eb-a0f4-4c6abb2e7668/
    - https://research.splunk.com/endpoint/07921114-6db4-4e2e-ae58-3ea8a52ae93f/
    - https://lolbas-project.github.io/lolbas/Binaries/Regasm/
author: frack113
date: 2024-04-25
tags:
    - attack.stealth
    - attack.t1218.009
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        Image|endswith: '\regasm.exe'
    filter_main_local_ranges:
        DestinationIp|cidr:
            - '127.0.0.0/8'
            - '10.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
            - '169.254.0.0/16'
            - '::1/128'  # IPv6 loopback
            - 'fe80::/10'  # IPv6 link-local addresses
            - 'fc00::/7'  # IPv6 private addresses
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium
low
RegAsm.EXE Execution Without CommandLine Flags or Files
Detects the execution of "RegAsm.exe" without a commandline flag or file, which might indicate potential process injection activity. Usually "RegAsm.exe" should point to a dedicated DLL file or call the help with the "/?" flag.
status experimental author frack113 id 651f87f7-12db-47f9-84c5-f27b081b94b6
view Sigma YAML 
title: RegAsm.EXE Execution Without CommandLine Flags or Files
id: 651f87f7-12db-47f9-84c5-f27b081b94b6
status: experimental
description: |
    Detects the execution of "RegAsm.exe" without a commandline flag or file, which might indicate potential process injection activity.
    Usually "RegAsm.exe" should point to a dedicated DLL file or call the help with the "/?" flag.
references:
    - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/agent-teslas-unique-approach-vbs-and-steganography-for-delivery-and-intrusion/
    - https://www.zscaler.fr/blogs/security-research/threat-actors-exploit-cve-2017-11882-deliver-agent-tesla
    - https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool
    - https://app.any.run/tasks/ea944b89-69d8-49c8-ac1f-5c76ad300db2
    - https://www.joesandbox.com/analysis/1467354/0/html
author: frack113
date: 2025-06-04
tags:
    - attack.stealth
    - attack.t1218.009
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Image|endswith: '\RegAsm.exe'
        - OriginalFileName: 'RegAsm.exe'
    selection_cli:
        CommandLine|endswith:
            - 'RegAsm'
            - 'RegAsm.exe'
            - 'RegAsm.exe"'
            - "RegAsm.exe'"
    condition: all of selection_*
falsepositives:
    - Legitimate use of Regasm by developers.
# Note: You can increase after an initial baseline
level: low
Showing 1-4 of 4
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin