← Back to SOC feed Coverage →

Potentially Suspicious Child Process Of Regsvr32

sigma HIGH SigmaHQ
T1218.010
imProcessCreate
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-18T11:00:00Z · Confidence: medium

Hunt Hypothesis

Detects potentially suspicious child processes of “regsvr32.exe”.

Detection Rule

Sigma (Original)

title: Potentially Suspicious Child Process Of Regsvr32
id: 6f0947a4-1c5e-4e0d-8ac7-53159b8f23ca
related:
    - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d
      type: obsolete
status: test
description: Detects potentially suspicious child processes of "regsvr32.exe".
references:
    - https://redcanary.com/blog/intelligence-insights-april-2022/
    - https://www.echotrail.io/insights/search/regsvr32.exe
    - https://www.ired.team/offensive-security/code-execution/t1117-regsvr32-aka-squiblydoo
author: elhoim, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-05-05
modified: 2023-05-26
tags:
    - attack.stealth
    - attack.t1218.010
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\regsvr32.exe'
        Image|endswith:
            - '\calc.exe'
            - '\cscript.exe'
            - '\explorer.exe'
            - '\mshta.exe'
            - '\net.exe'
            - '\net1.exe'
            - '\nltest.exe'
            - '\notepad.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\reg.exe'
            - '\schtasks.exe'
            - '\werfault.exe'
            - '\wscript.exe'
    filter_main_werfault:
        Image|endswith: '\werfault.exe'
        CommandLine|contains: ' -u -p '
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unlikely, but can rarely occur. Apply additional filters accordingly.
level: high

KQL (Azure Sentinel)

imProcessCreate
| where ((ParentProcessName endswith "\\regsvr32.exe" or ActingProcessName endswith "\\regsvr32.exe") and (TargetProcessName endswith "\\calc.exe" or TargetProcessName endswith "\\cscript.exe" or TargetProcessName endswith "\\explorer.exe" or TargetProcessName endswith "\\mshta.exe" or TargetProcessName endswith "\\net.exe" or TargetProcessName endswith "\\net1.exe" or TargetProcessName endswith "\\nltest.exe" or TargetProcessName endswith "\\notepad.exe" or TargetProcessName endswith "\\powershell.exe" or TargetProcessName endswith "\\pwsh.exe" or TargetProcessName endswith "\\reg.exe" or TargetProcessName endswith "\\schtasks.exe" or TargetProcessName endswith "\\werfault.exe" or TargetProcessName endswith "\\wscript.exe")) and (not((TargetProcessName endswith "\\werfault.exe" and TargetProcessCommandLine contains " -u -p ")))

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml