IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Network Connection via Regsvredit
Identifies the native Windows tools regsvr32.exe
and regsvr64.exe
making a
network connection. This may be indicative of an attacker bypassing allowlists
or running arbitrary scripts via a signed Microsoft binary.
Rule type: query
Rule indices:
- winlogbeat-*
Severity: low
Risk score: 21
Runs every: 5 minutes
Searches indices from: now-6m (Date Math format, see also Additional look-back time
)
Maximum signals per execution: 100
Tags:
- Elastic
- Windows
Version: 2 (version history)
Added (Elastic Stack release): 7.6.0
Last modified (Elastic Stack release): 7.7.0
Potential false positivesedit
Security testing may produce events like this. Activity of this kind performed by non-engineers and ordinary users is unusual.
Rule queryedit
process.name:(regsvr32.exe or regsvr64.exe) and event.action:"Network connection detected (rule: NetworkConnect)" and not destination.ip:(10.0.0.0/8 or 169.254.169.254 or 172.16.0.0/12 or 192.168.0.0/16)
Threat mappingedit
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
-
Technique:
- Name: Regsvr32
- ID: T1117
- Reference URL: https://attack.mitre.org/techniques/T1117/
-
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
-
Technique:
- Name: Regsvr32
- ID: T1117
- Reference URL: https://attack.mitre.org/techniques/T1117/
Rule version historyedit
- Version 2 (7.7.0 release)
-
Updated query, changed from:
(process.name:regsvr32.exe or process.name:regsvr64.exe) and event.action:"Network connection detected (rule: NetworkConnect)" and not destination.ip:169.254.169.254/32 and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16