T1218.010 Regsvr32 Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let SuspiciousPatterns = dynamic(["http://", "https://", "scrobj.dll", "/s", "/u", "/i:"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "regsvr32.exe"
| extend RemoteSCT = ProcessCommandLine has_any ("http://", "https://")
| extend ScrObj = ProcessCommandLine has "scrobj.dll"
| extend UnregisterFlag = ProcessCommandLine has_any ("/u", "/unregister")
| extend SuspiciousPath = ProcessCommandLine has_any ("Temp", "AppData", "Downloads", "Public", "Desktop", "ProgramData")
| extend InlineScript = ProcessCommandLine has "/i:"
| extend SuspiciousParent = InitiatingProcessFileName has_any ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe", "cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| where RemoteSCT or ScrObj or (SuspiciousPath and SuspiciousParent) or SuspiciousParent
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName,
         InitiatingProcessCommandLine, RemoteSCT, ScrObj, UnregisterFlag, SuspiciousPath, InlineScript, SuspiciousParent
| sort by Timestamp desc
union (
  DeviceProcessEvents
  | where Timestamp > ago(24h)
  | where InitiatingProcessFileName =~ "regsvr32.exe"
  | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
           InitiatingProcessFileName, InitiatingProcessCommandLine
  | sort by Timestamp desc
)

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Network: Network Connection Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Legitimate software installers that use regsvr32.exe to register DLLs and OCX files from Program Files directories
Windows Update and software deployment tools that register COM components via regsvr32.exe
Third-party software (printer drivers, codecs, ActiveX controls) that register DLLs via regsvr32.exe during installation
Enterprise software with custom COM components that are registered via automated deployment scripts

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(Image="*\\regsvr32.exe" OR ParentImage="*\\regsvr32.exe")
| eval RemoteSCT=if(match(CommandLine, "http[s]?://"), 1, 0)
| eval ScrObj=if(match(CommandLine, "scrobj"), 1, 0)
| eval Unregister=if(match(CommandLine, "(/u|/unregister)"), 1, 0)
| eval SuspiciousPath=if(match(CommandLine, "(Temp|AppData|Downloads|Public|Desktop|ProgramData)"), 1, 0)
| eval InlineScript=if(match(CommandLine, "/i:"), 1, 0)
| eval OfficeParent=if(match(ParentImage, "(winword|excel|outlook|powerpnt)\.exe"), 1, 0)
| eval ScriptParent=if(match(ParentImage, "(cmd|powershell|wscript|cscript|mshta)\.exe"), 1, 0)
| eval SuspiciousChild=if(ParentImage="*\\regsvr32.exe" AND match(Image, "(cmd|powershell|wscript|cscript|rundll32|net|certutil)\.exe"), 1, 0)
| eval RiskScore=RemoteSCT + ScrObj + (SuspiciousPath * (OfficeParent + ScriptParent)) + InlineScript + OfficeParent + SuspiciousChild
| where RiskScore > 0 OR SuspiciousChild=1
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, RemoteSCT, ScrObj, Unregister, SuspiciousPath, InlineScript, OfficeParent, ScriptParent, SuspiciousChild, RiskScore
| sort - _time

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate software installers that use regsvr32.exe to register DLLs and OCX files from Program Files directories
Windows Update and software deployment tools that register COM components via regsvr32.exe
Third-party software (printer drivers, codecs, ActiveX controls) that register DLLs via regsvr32.exe during installation
Enterprise software with custom COM components that are registered via automated deployment scripts

Elastic Security (EQL)

eql

process where event.type == "start" and
(
  (
    process.name : "regsvr32.exe" and
    (
      process.command_line : ("*http://*", "*https://*", "*scrobj.dll*", "*/i:*") or
      (
        process.command_line : ("*\\Temp\\*", "*AppData*", "*Downloads*", "*Public*", "*Desktop*", "*ProgramData*") and
        process.parent.name : ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe", "cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe")
      ) or
      process.parent.name : ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe", "cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe")
    )
  ) or
  (
    process.parent.name : "regsvr32.exe" and
    process.name : ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "rundll32.exe", "net.exe", "certutil.exe")
  )
)

high severity high confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon Elastic Agent (endpoint integration)

Required Tables

logs-endpoint.events.process-* winlogbeat-* .ds-logs-windows.sysmon_operational-*

False Positives

IT administrators using regsvr32.exe to register or unregister legitimate COM/OCX components via command-line wrappers (cmd.exe, powershell.exe) during software deployment or OS hardening routines
Software installation packages (MSI, NSIS, Inno Setup) that spawn regsvr32.exe from cmd.exe or powershell.exe to register DLLs in AppData or ProgramData during first-run or setup
Developer workstations running build or test automation scripts via cscript.exe or wscript.exe that legitimately call regsvr32.exe to register in-development COM servers

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCETYPENAME(devicetype) AS LogSourceType,
  sourceip AS SourceIP,
  username AS Username,
  "Image" AS ProcessImage,
  "CommandLine" AS ProcessCommandLine,
  "ParentImage" AS ParentImage,
  "ParentCommandLine" AS ParentCommandLine,
  CASE WHEN LOWER("CommandLine") SIMILAR TO '%http://%' OR LOWER("CommandLine") SIMILAR TO '%https://%' THEN 1 ELSE 0 END AS RemoteSCT,
  CASE WHEN LOWER("CommandLine") SIMILAR TO '%scrobj%' THEN 1 ELSE 0 END AS ScrObj,
  CASE WHEN LOWER("CommandLine") SIMILAR TO '%/i:%' THEN 1 ELSE 0 END AS InlineScript,
  CASE WHEN LOWER("CommandLine") SIMILAR TO '%(temp|appdata|downloads|public|desktop|programdata)%' THEN 1 ELSE 0 END AS SuspiciousPath,
  CASE WHEN LOWER("ParentImage") SIMILAR TO '%(winword|excel|outlook|powerpnt|cmd|powershell|wscript|cscript|mshta)%.exe%' THEN 1 ELSE 0 END AS SuspiciousParent,
  CASE WHEN LOWER("ParentImage") SIMILAR TO '%\\regsvr32.exe' AND LOWER("Image") SIMILAR TO '%(cmd|powershell|wscript|cscript|rundll32|certutil)%.exe%' THEN 1 ELSE 0 END AS SuspiciousChild
FROM events
WHERE
  starttime > DATEADD('hour', -24, NOW())
  AND LOGSOURCETYPEID(devicetype) IN (12, 52, 198, 433)
  AND (
    LOWER("Image") SIMILAR TO '%\\regsvr32.exe'
    OR LOWER("ParentImage") SIMILAR TO '%\\regsvr32.exe'
  )
  AND (
    LOWER("CommandLine") SIMILAR TO '%http://%'
    OR LOWER("CommandLine") SIMILAR TO '%https://%'
    OR LOWER("CommandLine") SIMILAR TO '%scrobj%'
    OR LOWER("CommandLine") SIMILAR TO '%/i:%'
    OR LOWER("ParentImage") SIMILAR TO '%(winword|excel|outlook|powerpnt|cmd|powershell|wscript|cscript|mshta)%.exe%'
    OR (
      LOWER("ParentImage") SIMILAR TO '%\\regsvr32.exe'
      AND LOWER("Image") SIMILAR TO '%(cmd|powershell|wscript|cscript|rundll32|certutil)%.exe%'
    )
  )
ORDER BY starttime DESC

high severity medium confidence

Data Sources

IBM QRadar Microsoft Windows DSM (Sysmon EventID 1) Windows Security Event Log Snare for Windows

Required Tables

events

False Positives

Automated software distribution systems (SCCM, Intune, PDQ Deploy) that legitimately invoke regsvr32.exe from cmd.exe or powershell.exe wrappers as part of COM component registration during managed deployments
Software vendors whose installer packages use ProgramData or AppData staging paths before calling regsvr32.exe, triggering the suspicious-path heuristic on otherwise benign setups
Security and EDR vendors whose agents spawn regsvr32.exe during telemetry collection or hook injection, which may appear as a suspicious parent-child relationship

Sumo Logic CSE

sql

_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*endpoint*
| where EventID = "1" or EventCode = "1"
| parse regex "(?s)Image:\s*(?<Image>[^\r\n]+)" nodrop
| parse regex "(?s)CommandLine:\s*(?<CommandLine>[^\r\n]+)" nodrop
| parse regex "(?s)ParentImage:\s*(?<ParentImage>[^\r\n]+)" nodrop
| parse regex "(?s)ParentCommandLine:\s*(?<ParentCommandLine>[^\r\n]+)" nodrop
| parse regex "(?s)User:\s*(?<User>[^\r\n]+)" nodrop
| parse regex "(?s)Computer:\s*(?<Computer>[^\r\n]+)" nodrop
| where Image matches "*\\regsvr32.exe" or ParentImage matches "*\\regsvr32.exe"
| eval remoteSCT = if(CommandLine matches "(?i)https?://", 1, 0)
| eval scrObj = if(CommandLine matches "(?i)scrobj", 1, 0)
| eval inlineScript = if(CommandLine matches "(?i)/i:", 1, 0)
| eval suspiciousPath = if(CommandLine matches "(?i)(temp|appdata|downloads|public|desktop|programdata)", 1, 0)
| eval officeParent = if(ParentImage matches "(?i)(winword|excel|outlook|powerpnt)\.exe", 1, 0)
| eval scriptParent = if(ParentImage matches "(?i)(cmd|powershell|wscript|cscript|mshta)\.exe", 1, 0)
| eval suspiciousChild = if(ParentImage matches "(?i)\\regsvr32\.exe" and Image matches "(?i)(cmd|powershell|wscript|cscript|rundll32|net|certutil)\.exe", 1, 0)
| eval riskScore = remoteSCT + scrObj + inlineScript + (suspiciousPath * (officeParent + scriptParent)) + officeParent + scriptParent + suspiciousChild
| where riskScore > 0 or suspiciousChild = 1
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, remoteSCT, scrObj, inlineScript, suspiciousPath, officeParent, scriptParent, suspiciousChild, riskScore
| sort by _messageTime desc

high severity high confidence

Data Sources

Sumo Logic Log Analytics Sysmon for Windows (EventID 1) Windows Event Forwarding

Required Tables

_sourceCategory=*windows* _sourceCategory=*sysmon*

False Positives

Legitimate software packaging workflows that stage DLLs in AppData or Temp directories and then register them via regsvr32.exe, triggering the suspicious-path heuristic without malicious intent
Enterprise endpoint management tools (PDQ Deploy, Altiris, Ansible WinRM) that orchestrate regsvr32.exe calls through cmd.exe or powershell.exe as part of application rollouts
Developers on build servers running test harnesses via cscript.exe or wscript.exe that legitimately invoke regsvr32.exe to register COM servers during integration testing

Google Chronicle / SecOps

yaral

rule T1218_010_Regsvr32_Abuse {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects regsvr32.exe abuse including Squiblydoo remote SCT execution, scrobj.dll inline script loading, suspicious Office and script-host parent processes, and dangerous child processes spawned by regsvr32.exe. Covers T1218.010 abuse by QakBot, Emotet, Dridex, Valak, APT32, APT29, Kimsuky, and Cobalt Group."
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1218.010"
    severity = "HIGH"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1218/010/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH" and
    (
      (
        re.regex($e.target.process.file.full_path, `(?i)\\regsvr32\.exe$`) and
        (
          re.regex($e.target.process.command_line, `(?i)https?://`) or
          re.regex($e.target.process.command_line, `(?i)scrobj`) or
          re.regex($e.target.process.command_line, `(?i)\/i:`) or
          re.regex($e.principal.process.file.full_path, `(?i)(winword|excel|outlook|powerpnt|cmd|powershell|wscript|cscript|mshta)\.exe$`)
        )
      ) or
      (
        re.regex($e.principal.process.file.full_path, `(?i)\\regsvr32\.exe$`) and
        re.regex($e.target.process.file.full_path, `(?i)(cmd|powershell|wscript|cscript|rundll32|certutil)\.exe$`)
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle SIEM Chronicle Forwarder (Sysmon) Microsoft Defender for Endpoint via Chronicle

Required Tables

UDM Events (PROCESS_LAUNCH entity type)

False Positives

IT operations runbooks invoking regsvr32.exe from cmd.exe or powershell.exe to register or unregister ActiveX controls and COM automation servers during legitimate configuration management
Office add-in and plugin installers that legitimately spawn regsvr32.exe from an Office parent (winword.exe, outlook.exe) to register COM shim DLLs during first-run initialisation
Authorised red team or penetration testing engagements using Squiblydoo payloads — correlate alert timestamps against approved change management records before escalating

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| FileName=/(?i)^regsvr32\.exe$/ OR ParentBaseFileName=/(?i)^regsvr32\.exe$/
| RemoteSCT := match(field=CommandLine, regex="(?i)https?://")
| ScrObj := match(field=CommandLine, regex="(?i)scrobj")
| InlineScript := match(field=CommandLine, regex="(?i)/i:")
| SuspiciousPath := match(field=CommandLine, regex="(?i)(temp|appdata|downloads|public|desktop|programdata)")
| SuspiciousParent := match(field=ParentBaseFileName, regex="(?i)(winword|excel|outlook|powerpnt|cmd|powershell|wscript|cscript|mshta)\.exe")
| IsRegParent := match(field=ParentBaseFileName, regex="(?i)^regsvr32\.exe$")
| IsSuspiciousChild := match(field=FileName, regex="(?i)^(cmd|powershell|wscript|cscript|rundll32|net|certutil)\.exe$")
| SuspiciousChild := if(IsRegParent and IsSuspiciousChild, then="true", else="false")
| RiskScore := if(RemoteSCT, then=1, else=0) + if(ScrObj, then=1, else=0) + if(InlineScript, then=1, else=0) + if(SuspiciousParent, then=1, else=0) + if(SuspiciousChild="true", then=1, else=0)
| RiskScore > 0 OR SuspiciousChild = "true"
| table([@timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, RemoteSCT, ScrObj, InlineScript, SuspiciousPath, SuspiciousParent, SuspiciousChild, RiskScore], sortby=@timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Platform Falcon Sensor Process Telemetry (ProcessRollup2)

Required Tables

ProcessRollup2

False Positives

Falcon-monitored endpoints running enterprise software deployment tools (SCCM, Intune, PDQ Deploy) that wrap regsvr32.exe calls inside powershell.exe or cmd.exe for COM component registration during managed rollouts
Software build servers where CI/CD pipelines invoke regsvr32.exe through script host parents (wscript.exe, cscript.exe) to register in-development COM automation servers during integration builds
Managed service provider (MSP) remote administration scripts that orchestrate regsvr32.exe calls via script interpreters to configure client environments, triggering the suspicious-parent heuristic

Regsvr32

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections