Remediations include: - restricting permissions to the binary - windows firewall blocking network access to binary
If a user has admin or a path to admin, these are just speed bumps. Sysmon would be useful here for instrumentation: e.g. look for regsvr32.exe executing and/or making any network connections. On Tue, Apr 26, 2016 at 8:37 AM, <namobuddhaon...@gmail.com> wrote: > Hello group, > > Here an interesting article on how Regsvr32.exe can use .com script files > to execute code. I didn’t see a remediation, but it’s good to at least be > aware of it. > > > http://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html > > My question is can we write a rule to detect that Regsvr32.exe has been > run? > > Thanks, > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
