This documentation contains work-in-progress information for future Elastic Stack and Cloud releases. Use the version selector to view supported release docs. It also contains some Elastic Cloud serverless information. Check out our serverless docs for more details.

« Network Connection via MsXsl Network Connection via Signed Binary »

› › ›

Network Connection via Registration Utility

edit

Network Connection via Registration Utility

edit

Identifies the native Windows tools regsvr32.exe, regsvr64.exe, RegSvcs.exe, or RegAsm.exe making a network connection. This may be indicative of an attacker bypassing allowlists or running arbitrary scripts via a signed Microsoft binary.

Rule type: eql

Rule indices:

winlogbeat-*
logs-endpoint.events.*
logs-windows.*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml

Tags:

Elastic
Host
Windows
Threat Detection
Execution

Version: 100 (version history)

Added (Elastic Stack release): 7.6.0

Last modified (Elastic Stack release): 8.5.0

Rule authors: Elastic

Rule license: Elastic License v2

Potential false positives

edit

Security testing may produce events like this. Activity of this kind performed by non-engineers and ordinary users is unusual.

Rule query

edit

sequence by process.entity_id [process where event.type == "start"
and process.name : ("regsvr32.exe", "RegAsm.exe", "RegSvcs.exe")
and not ( (?process.Ext.token.integrity_level_name :
"System" or ?winlog.event_data.IntegrityLevel : "System") and
(process.parent.name : "msiexec.exe" or process.parent.executable :
("C:\\Program Files (x86)\\*.exe", "C:\\Program Files\\*.exe"))
) ] [network where process.name : ("regsvr32.exe", "RegAsm.exe",
"RegSvcs.exe") and not cidrmatch(destination.ip, "10.0.0.0/8",
"127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24",
"192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32",
"192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
"192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16",
"192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10",
"192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24",
"203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10",
"FF00::/8") and network.protocol != "dns"]

Threat mapping

edit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
Technique:
- Name: System Binary Proxy Execution
- ID: T1218
- Reference URL: https://attack.mitre.org/techniques/T1218/

Rule version history

edit

Version 100 (8.5.0 release)

Formatting only

Version 13 (8.4.0 release)

Formatting only

Version 11 (8.2.0 release)

Updated query, changed from:

sequence by process.entity_id [process where event.type == "start"
and process.name : ("regsvr32.exe", "RegAsm.exe", "RegSvcs.exe")
and not ( (process.Ext.token.integrity_level_name :
"System" or winlog.event_data.IntegrityLevel : "System") and
(process.parent.name : "msiexec.exe" or process.parent.executable :
("C:\\Program Files (x86)\\*.exe", "C:\\Program Files\\*.exe"))
) ] [network where process.name : ("regsvr32.exe", "RegAsm.exe",
"RegSvcs.exe") and not cidrmatch(destination.ip, "10.0.0.0/8",
"127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24",
"192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32",
"192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
"192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16",
"192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10",
"192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24",
"203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10",
"FF00::/8") and network.protocol != "dns"]

Version 10 (8.1.0 release)

Updated query, changed from:

sequence by process.entity_id [process where event.type == "start"
and process.name : ("regsvr32.exe", "RegAsm.exe", "RegSvcs.exe")
and not ( user.id == "S-1-5-18" and
(process.parent.name : "msiexec.exe" or process.parent.executable :
("C:\\Program Files (x86)\\*.exe", "C:\\Program Files\\*.exe"))
) ] [network where process.name : ("regsvr32.exe", "RegAsm.exe",
"RegSvcs.exe") and not cidrmatch(destination.ip, "10.0.0.0/8",
"127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24",
"192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32",
"192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
"192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16",
"192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10",
"192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24",
"203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10",
"FF00::/8") and network.protocol != "dns"]

Version 9 (7.14.0 release)

Updated query, changed from:

sequence by process.entity_id [process where event.type == "start"
and process.name : ("regsvr32.exe", "RegAsm.exe", "RegSvcs.exe")
and not ( user.id == "S-1-5-18" and
(process.parent.name : "msiexec.exe" or process.parent.executable :
("C:\\Program Files (x86)\\*.exe", "C:\\Program Files\\*.exe"))
) ] [network where process.name : ("regsvr32.exe", "RegAsm.exe",
"RegSvcs.exe") and not cidrmatch(destination.ip, "10.0.0.0/8",
"169.254.169.254", "172.16.0.0/12", "192.168.0.0/16") and
network.protocol != "dns"]

Version 8 (7.13.0 release)

Updated query, changed from:

sequence by process.entity_id [process where (process.name :
"regsvr32.exe" or process.name : "regsvr64.exe" or
process.name : "RegAsm.exe" or process.name : "RegSvcs.exe") and
event.type == "start"] [network where (process.name : "regsvr32.exe"
or process.name : "regsvr64.exe" or process.name :
"RegAsm.exe" or process.name : "RegSvcs.exe") and not
cidrmatch(destination.ip, "10.0.0.0/8", "169.254.169.254",
"172.16.0.0/12", "192.168.0.0/16")]

Version 7 (7.12.0 release)

Formatting only

Version 6 (7.11.0 release)

Formatting only

Version 5 (7.10.0 release)

Rule name changed from: Network Connection via Regsvr

Updated query, changed from:

event.category:network and event.type:connection and
process.name:(regsvr32.exe or regsvr64.exe) and not
destination.ip:(10.0.0.0/8 or 169.254.169.254 or 172.16.0.0/12 or
192.168.0.0/16)

Version 4 (7.9.1 release)

Formatting only

Version 3 (7.9.0 release)

Updated query, changed from:

process.name:(regsvr32.exe or regsvr64.exe) and event.action:"Network
connection detected (rule: NetworkConnect)" and not
destination.ip:(10.0.0.0/8 or 169.254.169.254 or 172.16.0.0/12 or
192.168.0.0/16)

Version 2 (7.7.0 release)

Updated query, changed from:

(process.name:regsvr32.exe or process.name:regsvr64.exe) and
event.action:"Network connection detected (rule: NetworkConnect)" and
not destination.ip:169.254.169.254/32 and not
destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not
destination.ip:192.168.0.0/16

« Network Connection via MsXsl Network Connection via Signed Binary »