IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Network Connection via Regsvredit
Identifies the native Windows tools regsvr32.exe
and regsvr64.exe
making a
network connection. This may be indicative of an attacker bypassing
whitelisting or running arbitrary scripts via a signed Microsoft binary.
Rule indices:
- winlogbeat-*
Severity: low
Risk score: 21
Runs every: 5 minutes
Searches indices from: now-6m (Date Math format, see also Additional look-back time
)
Maximum signals per execution: 100
Tags:
- Elastic
- Windows
Rule version: 1
Added (Elastic Stack release): 7.6.0
Potential false positivesedit
Security testing may produce events like this. Activity of this kind performed by non-engineers and ordinary users is unusual.
Rule queryedit
(process.name:regsvr32.exe or process.name:regsvr64.exe) and event.action:"Network connection detected (rule: NetworkConnect)" and not destination.ip:169.254.169.254/32 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16
Threat mappingedit
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
-
Technique:
- Name: Regsvr32
- ID: T1117
- Reference URL: https://attack.mitre.org/techniques/T1117/
-
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
-
Technique:
- Name: Regsvr32
- ID: T1117
- Reference URL: https://attack.mitre.org/techniques/T1117/