EXPLORE
Sign In
← Back to Explore
T1218.010

Regsvr32

Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. The Regsvr32.exe binary may also be signed by Microsoft. (Citation: Microsoft Regsvr32) Malicious usage of Regsvr32.exe may avoid triggering security tools that may not monitor execution of, and modules loaded by, the regsvr32.exe process because of allow...

Windows
41
Detections
4
Sources
11
Threat Actors

BY SOURCE

17elastic17sigma6splunk_escu1crowdstrike_cql

PROCEDURES (29)

Suspicious3 detections

Auto-extracted: 3 detections for suspicious

Process Creation Monitoring3 detections

Auto-extracted: 3 detections for process creation monitoring

Download2 detections

Auto-extracted: 2 detections for download

Child Process2 detections

Auto-extracted: 2 detections for child process

Network Connection Monitoring2 detections

Auto-extracted: 2 detections for network connection monitoring

Wmi2 detections

Auto-extracted: 2 detections for wmi

Bypass2 detections

Auto-extracted: 2 detections for bypass

Parent Process2 detections

Auto-extracted: 2 detections for parent process

Script Execution Monitoring2 detections

Auto-extracted: 2 detections for script execution monitoring

Child Process2 detections

Auto-extracted: 2 detections for child process

Remote1 detections

Auto-extracted: 1 detections for remote

Office1 detections

Auto-extracted: 1 detections for office

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Office1 detections

Auto-extracted: 1 detections for office

Remote1 detections

Auto-extracted: 1 detections for remote

Unusual1 detections

Auto-extracted: 1 detections for unusual

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Module Load Monitoring1 detections

Auto-extracted: 1 detections for module load monitoring

General Monitoring1 detections

Auto-extracted: 1 detections for general monitoring

Privilege1 detections

Auto-extracted: 1 detections for privilege

Persist1 detections

Auto-extracted: 1 detections for persist

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Persist1 detections

Auto-extracted: 1 detections for persist

Remote1 detections

Auto-extracted: 1 detections for remote

Privilege1 detections

Auto-extracted: 1 detections for privilege

Unusual1 detections

Auto-extracted: 1 detections for unusual

Parent Process1 detections

Auto-extracted: 1 detections for parent process

Download1 detections

Auto-extracted: 1 detections for download

Privilege1 detections

Auto-extracted: 1 detections for privilege

THREAT ACTORS (11)

APT19APT32Blue MockingbirdCobalt GroupDeep PandaInceptionKimsukyLeviathanStorm-0501TA551WIRTE

DETECTIONS (41)

Delayed Execution via Ping
elasticlow
Detect Regsvr32 Application Control Bypass
splunk_escu
DNS Query Request By Regsvr32.EXE
sigmamedium
Execution from Unusual Directory - Command Line
elasticmedium
Execution of Persistent Suspicious Program
elasticmedium
HTML Help HH.EXE Suspicious Child Process
sigmahigh
LOLBin Regsvr32
crowdstrike_cql
Malicious InProcServer32 Modification
splunk_escu
Network Connection Initiated By Regsvr32.EXE
sigmamedium
Network Connection via Registration Utility
elasticlow
Potential Command and Control via Internet Explorer
elasticmedium
Potential Regsvr32 Commandline Flag Anomaly
sigmamedium
Potentially Suspicious Child Process Of Regsvr32
sigmahigh
Potentially Suspicious Regsvr32 HTTP IP Pattern
sigmahigh
Potentially Suspicious Regsvr32 HTTP/FTP Pattern
sigmamedium
Regsvr32 DLL Execution With Suspicious File Extension
sigmahigh
Regsvr32 Execution From Highly Suspicious Location
sigmahigh
Regsvr32 Execution From Potential Suspicious Location
sigmamedium
Regsvr32 Silent and Install Param Dll Loading
splunk_escu
Regsvr32 with Known Silent Switch Cmdline
splunk_escu
Scripting/CommandLine Process Spawned Regsvr32
sigmamedium
Service Control Spawned via Script Interpreter
elasticlow
Suspicious .NET Code Compilation
elasticmedium
Suspicious Execution from a Mounted Device
elasticmedium
Suspicious Explorer Child Process
elasticmedium
Suspicious HH.EXE Execution
sigmahigh
Suspicious JetBrains TeamCity Child Process
elasticmedium
Suspicious Managed Code Hosting Process
elastichigh
Suspicious Microsoft Office Child Process
sigmahigh
Suspicious MS Office Child Process
elasticmedium
Suspicious MS Outlook Child Process
elasticlow
Suspicious PDF Reader Child Process
elasticlow
Suspicious Regsvr32 Execution From Remote Share
sigmahigh
Suspicious Regsvr32 Register Suspicious Path
splunk_escu
Suspicious Script Object Execution
elasticmedium
Suspicious Windows Command Shell Arguments
elastichigh
Suspicious WMIC Execution Via Office Process
sigmahigh
Suspicious WmiPrvSE Child Process
sigmahigh
Unsigned DLL Loaded by Windows Utility
sigmamedium
Unusual Network Activity from a Windows System Binary
elasticmedium
Windows Regsvr32 Renamed Binary
splunk_escu