detection_fixes_2

detections/endpoint/regsvr32_with_known_silent_switch_cmdline.yml → detections/deprecated/regsvr32_with_known_silent_switch_cmdline.yml

@@ -1,9 +1,9 @@
 name: Regsvr32 with Known Silent Switch Cmdline
 id: c9ef7dc4-eeaf-11eb-b2b6-acde48001122
-version: 13
-date: '2026-04-15'
+version: 14
+date: '2026-05-27'
 author: Teoderick Contreras, Splunk
-status: production
+status: deprecated
 type: Anomaly
 description: The following analytic detects the execution of Regsvr32.exe with the silent switch to load DLLs. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on command-line executions containing the `-s` or `/s` switches. This activity is significant as it is commonly used in malware campaigns, such as IcedID, to stealthily load malicious DLLs. If confirmed malicious, this could allow an attacker to execute arbitrary code, download additional payloads, and potentially compromise the system further. Immediate investigation and endpoint isolation are recommended.
 data_source:

detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml

@@ -1,7 +1,7 @@
 name: Regsvr32 Silent and Install Param Dll Loading
-id: f421c250-24e7-11ec-bc43-acde48001122
-version: 13
-date: '2026-04-15'
+id: fb3cd0d2-6888-419f-a991-ea772a4cead2
+version: 14
+date: '2026-05-27'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -12,9 +12,9 @@ data_source:
     - CrowdStrike ProcessRollup2
 search: |-
     | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
-      WHERE `process_regsvr32`
-        AND
-        Processes.process="*/i*" AND NOT Processes.process="*Microsoft\\TeamsMeetingAddin*"
+      WHERE `process_regsvr32` AND
+         Processes.process="*/i*" AND
+         Processes.process  IN ("*/s*", "*-s*") AND NOT Processes.process="*Microsoft\\TeamsMeetingAddin*"
       BY Processes.action Processes.dest Processes.original_file_name
          Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
          Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
@@ -25,8 +25,6 @@ search: |-
     | `drop_dm_object_name(Processes)`
     | `security_content_ctime(firstTime)`
     | `security_content_ctime(lastTime)`
-    | where match(process,"(?i)[\-
-    | \/][Ss]{1}")
     | `regsvr32_silent_and_install_param_dll_loading_filter`
 how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
 known_false_positives: |

removed/deprecation_mapping.YML

@@ -929,6 +929,11 @@ detections:
   - content: Excel Spawning Windows Script Host
     removed_in_version: 5.2.0
     reason: Detection deprecated as it no longer effectively identifies the intended malicious activity
+  - content: Regsvr32 with Known Silent Switch Cmdline
+    removed_in_version: 6.0.0
+    reason: Detection has been deprecated since its logic is already covered by another more improved detection.
+    replacement_content:
+    - Regsvr32 Silent and Install Param Dll Loading
 baselines:
   - content: Baseline Of Cloud Infrastructure API Calls Per User
     removed_in_version: 5.26.0