- SIEM Guide:
- Overview
- Get up and running
- SIEM UI
- Anomaly Detection with Machine Learning
- Detections (Beta)
- Managing signal detection rules
- Detections API
- Prebuilt rule reference
- Adding Hidden File Attribute via Attrib
- Adobe Hijack Persistence
- Adversary Behavior - Detected - Elastic Endpoint
- Clearing Windows Event Logs
- Command Prompt Network Connection
- Credential Dumping - Detected - Elastic Endpoint
- Credential Dumping - Prevented - Elastic Endpoint
- Credential Manipulation - Detected - Elastic Endpoint
- Credential Manipulation - Prevented - Elastic Endpoint
- DNS Activity to the Internet
- Delete Volume USN Journal with Fsutil
- Deleting Backup Catalogs with Wbadmin
- Direct Outbound SMB Connection
- Disable Windows Firewall Rules via Netsh
- Encoding or Decoding Files via CertUtil
- Execution via Signed Binary
- Exploit - Detected - Elastic Endpoint
- Exploit - Prevented - Elastic Endpoint
- FTP (File Transfer Protocol) Activity to the Internet
- Hping Process Activity
- IPSEC NAT Traversal Port Activity
- IRC (Internet Relay Chat) Protocol Activity to the Internet
- Local Scheduled Task Commands
- Local Service Commands
- Malware - Detected - Elastic Endpoint
- Malware - Prevented - Elastic Endpoint
- Mknod Process Activity
- MsBuild Making Network Connections
- Netcat Network Activity
- Network Connection via Compiled HTML File
- Network Connection via Mshta
- Network Connection via Regsvr
- Network Connection via Signed Binary
- Network Sniffing via Tcpdump
- Nmap Process Activity
- Nping Process Activity
- PPTP (Point to Point Tunneling Protocol) Activity
- Permission Theft - Detected - Elastic Endpoint
- Permission Theft - Prevented - Elastic Endpoint
- Persistence via Kernel Module Modification
- Potential Application Shimming via Sdbinst
- Potential DNS Tunneling via Iodine
- Potential Evasion via Filter Manager
- Potential Modification of Accessibility Binaries
- Potential Shell via Web Server
- PowerShell spawning Cmd
- Process Activity via Compiled HTML File
- Process Discovery via Tasklist
- Process Injection - Detected - Elastic Endpoint
- Process Injection - Prevented - Elastic Endpoint
- Proxy Port Activity to the Internet
- PsExec Network Connection
- RDP (Remote Desktop Protocol) from the Internet
- RDP (Remote Desktop Protocol) to the Internet
- RPC (Remote Procedure Call) from the Internet
- RPC (Remote Procedure Call) to the Internet
- Ransomware - Detected - Elastic Endpoint
- Ransomware - Prevented - Elastic Endpoint
- SMB (Windows File Sharing) Activity to the Internet
- SMTP on Port 26/TCP
- SMTP to the Internet
- SQL Traffic to the Internet
- SSH (Secure Shell) from the Internet
- SSH (Secure Shell) to the Internet
- Socat Process Activity
- Strace Process Activity
- Suspicious MS Office Child Process
- Suspicious MS Outlook Child Process
- Suspicious Process spawning from Script Interpreter
- Suspicious Script Object Execution
- Svchost spawning cmd.exe
- System Shells via Services
- TCP Port 8000 Activity to the Internet
- Telnet Port Activity
- Tor Activity to the Internet
- Trusted Developer Application Usage
- Unusual Network Connection via RunDLL32
- Unusual Parent-Child Relationship
- Unusual Process Execution - Temp
- Unusual Process Network Connection
- User Account Creation
- User Discovery via Whoami
- VNC (Virtual Network Computing) from the Internet
- VNC (Virtual Network Computing) to the Internet
- Volume Shadow Copy Deletion via VssAdmin
- Volume Shadow Copy Deletion via WMIC
- Web Application Suspicious Activity: No User Agent
- Web Application Suspicious Activity: POST Request Declined
- Web Application Suspicious Activity: Unauthorized Method
- Web Application Suspicious Activity: sqlmap User Agent
- Whoami Process Activity
- Windows Script Executing PowerShell
- Tuning prebuilt detection rules
- Prebuilt rules version history
A newer version is available. For the latest information, see the
current release documentation.
Network Connection via Regsvr
editNetwork Connection via Regsvr
editIdentifies the native Windows tools regsvr32.exe
and regsvr64.exe
making a
network connection. This may be indicative of an attacker bypassing
whitelisting or running arbitrary scripts via a signed Microsoft binary.
Rule indices:
- winlogbeat-*
Severity: low
Risk score: 21
Runs every: 5 minutes
Searches indices from: now-6m (Date Math format, see also Additional look-back time
)
Maximum signals per execution: 100
Tags:
- Elastic
- Windows
Rule version: 1
Added (Elastic Stack release): 7.6.0
Potential false positives
editSecurity testing may produce events like this. Activity of this kind performed by non-engineers and ordinary users is unusual.
Rule query
edit(process.name:regsvr32.exe or process.name:regsvr64.exe) and event.action:"Network connection detected (rule: NetworkConnect)" and not destination.ip:169.254.169.254/32 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16
Threat mapping
editFramework: MITRE ATT&CKTM
-
Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
-
Technique:
- Name: Regsvr32
- ID: T1117
- Reference URL: https://attack.mitre.org/techniques/T1117/
-
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
-
Technique:
- Name: Regsvr32
- ID: T1117
- Reference URL: https://attack.mitre.org/techniques/T1117/
Was this helpful?
Thank you for your feedback.