T1218.010: Regsvr32

Data from MITRE ATT&CK®:

Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. The Regsvr32.exe binary may also be signed by Microsoft. (Citation: Microsoft Regsvr32)

Malicious usage of Regsvr32.exe may avoid triggering security tools that may not monitor execution of, and modules loaded by, the regsvr32.exe process because of allowlists or false positives from Windows using regsvr32.exe for normal operations. Regsvr32.exe can also be used to specifically bypass application control using functionality to load COM scriptlets to execute DLLs under user permissions. Since Regsvr32.exe is network and proxy aware, the scripts can be loaded by passing a uniform resource locator (URL) to file on an external Web server as an argument during invocation. This method makes no changes to the Registry as the COM object is not actually registered, only executed. (Citation: LOLBAS Regsvr32) This variation of the technique is often referred to as a "Squiblydoo" and has been used in campaigns targeting governments. (Citation: Carbon Black Squiblydoo Apr 2016) (Citation: FireEye Regsvr32 Targeting Mongolian Gov)

Regsvr32.exe can also be leveraged to register a COM Object used to establish persistence via Component Object Model Hijacking. (Citation: Carbon Black Squiblydoo Apr 2016)

© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Exploit Protection

Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.

Module Load (Module)

Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)

Network Connection Creation (Network Traffic)

Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)

Command Execution (Command)

The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )

Process Creation (Process)

The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)

Regsvr32 Registering Non DLL

windows

Regsvr32 local COM scriptlet execution

windows

Regsvr32 Silent DLL Install Call DllRegisterServer

windows

Regsvr32 remote COM scriptlet execution

windows

Regsvr32 local DLL execution

windows

Suspicious HH.EXE Execution

windows process creation

Suspicious WmiPrvSE Child Process

windows process creation

Scripting/CommandLine Process Spawned Regsvr32

windows process creation

Network Connection Initiated By Regsvr32.EXE

windows network connection

Potentially Suspicious Regsvr32 HTTP/FTP Pattern

windows process creation

Suspicious Regsvr32 Execution From Remote Share

windows process creation

HTML Help HH.EXE Suspicious Child Process

windows process creation

Suspicious WMIC Execution Via Office Process

windows process creation

Potentially Suspicious Regsvr32 HTTP IP Pattern

windows process creation

DNS Query Request By Regsvr32.EXE

windows dns query

Potentially Suspicious Child Process Of Regsvr32

windows process creation

Regsvr32 Execution From Highly Suspicious Location

windows process creation

Potential Regsvr32 Commandline Flag Anomaly

windows process creation

Regsvr32 DLL Execution With Suspicious File Extension

windows process creation

Suspicious Microsoft Office Child Process

windows process creation

Unsigned DLL Loaded by Windows Utility

windows image load

Regsvr32 Execution From Potential Suspicious Location

windows process creation