Hello group, Here an interesting article on how Regsvr32.exe can use .com script files to execute code. I didn’t see a remediation, but it’s good to at least be aware of it.
http://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html My question is can we write a rule to detect that Regsvr32.exe has been run? Thanks, -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.