splApache-2.0from splunk/security_content
Detect Regsvcs with Network Connection
The following analytic identifies instances of Regsvcs.exe establishing a network connection to a public IP address, excluding private IP ranges. This detection leverages Sysmon EventID 3 logs to monitor network connections initiated by Regsvcs.exe. This activity is significant as Regsvcs.exe, a legitimate Microsoft-signed binary, can be exploited to bypass application control mechanisms and establish remote Command and Control (C2) channels. If confirmed malicious, this behavior could allow an attacker to escalate privileges, persist in the environment, and exfiltrate sensitive data. Immediate investigation and remediation are recommended.
Quality
67
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/detect_regsvcs_with_network_connection.yml
`sysmon`
EventID=3
NOT dest_ip IN (
"10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10",
"127.0.0.0/8", "169.254.0.0/16", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32",
"192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
"192.31.196.0/24", "192.52.193.0/24", "192.88.99.0/24", "224.0.0.0/4", "192.175.48.0/24",
"198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4"
)
process_name=regsvcs.exe
| stats count min(_time) as firstTime max(_time) as lastTime
by action app dest dest_ip dest_port direction dvc protocol protocol_version src
src_ip src_port transport user vendor_product process_name process_exec process_guid
process_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_regsvcs_with_network_connection_filter`