win_susp_regsvr32_flags_anomaly.yml

[AlphaKiloDelta]

Hello,

I believe there may be some misunderstanding with regard to the flags chosen for detection in this rule, the Twitter reference does not seem to fully understand them. We would want to detect use of the /n flag, not exclude it, because an attacker would want to use it in order to avoid modifying Windows Registry and risking detection.

Regsvr32's /n flag prevents the functions "DllRegisterServer" and "DllUnregisterServer" from being called. These functions create or remove DLL entries from Registry. Such activity would likely be picked up by an EDR solution. Use of the /n flag would help an attacker remain undetected by avoiding any modification to Registry.

Should this rule be rewritten to include detection of the /n flag, as opposed to filtering it out as it is currently?

Thank you.

[frack113]

Hi,
for proc_creation_win_susp_regsvr32_flags_anomaly.yml :
The normal behavior is /i /n
We want to detect when use with only /i.

In theTwitter https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/cobalt_upd_ttps/ the malware use only /s /i

[nasbench]

Hi,

The rule in question is trying to detect an anomaly in the presence of the /i without the /n. This makes it suspicious as it differs from the typical case. The usage of both flags is used by both malicious actors and legitimate software. So the detection cannot be based on the flags alone.

We have other rules for other cases including the generic one you speak of, there are other rules that try to cover suspicious cases. For example:

• Regsvr32 Anomaly
• Suspicious Regsvr32 HTTP IP Pattern
• Suspicious Regsvr32 Execution With Image Extension

Hope this clears up things.

[AlphaKiloDelta]

Thank you for your reply.

I see why the lack of the /n flag with the /i would be unusual, but what makes it suspicious? How is it more likely to indicate malicious behaviour as opposed to simply indicating an oversight by a legitimate actor forgetting to add /n? Surely a malicious actor is more likely to use the combination of /n /i than /i alone, and if /i were to be used alone, how is this indicative of malicious behaviour and worthy of detection?

This rule appears to be targetting a scenario which does not necessarily relate to any malicious activity. Please do let me know if I am missing anything here.

Thanks again.

[nasbench]

Hi,

The idea is not looking for maliciousness but for suspiciousness and something becomes "suspicious" (in some form) if it's not that common.

If most of the time /i is used with /n (which let's say is 90% of the calls). Looking for something that's not typical is a cause of suspicion in itself and that's what the rule is looking for here. That's why it's called an Anomaly. (And I think that the intention of the author of the tweet)

Hope this answer your question.

Regards.

[AlphaKiloDelta]

Hello,

I see, what are some use cases of this rule then? How could it be used for any benefit? Would it be, for example, to detect a system administrator mistakingly forgetting to add the /n and therefore inadvertently modifying Registry? i.e. is it mostly used for checking legitimate activity, as opposed to monitoring for anything malicious?

Thank you.

[nasbench]

Hi,

As I said this rule is looking for an anomaly. So an anomaly in this case means something unexpected. The tweet author indicated that in "most" cases you should expect both flags. And if only one is present it should cause suspicion.

Now, this could be as you said an admin forgetting or an application missing the flag, or an attacker doing a typo. We don't care :) as we want to catch them all.

Think of this as a hunting rule looking for uncommon execution of regsvr32. It could never trigger but when it does, it's worth looking at.

Regards.