T1218.010 Elastic Security · Elastic

Detect Regsvr32 in Elastic Security

Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including DLLs, on Windows systems. The 'Squiblydoo' variation passes a URL to a remote COM scriptlet file (SCT) that executes without registry changes, making no persistent artifacts. This technique is widely used by QakBot, Emotet, Dridex, Valak, Astaroth, TA551, and many APTs including APT32, APT29, Kimsuky, Cobalt Group, Leviathan, and Storm-0501. It is one of the most abused LOLBins in the threat landscape.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1218 System Binary Proxy Execution
Sub-technique
T1218.010 Regsvr32
Canonical reference
https://attack.mitre.org/techniques/T1218/010/

Elastic Detection Query

Elastic Security (Elastic)
eql 
process where event.type == "start" and
(
  (
    process.name : "regsvr32.exe" and
    (
      process.command_line : ("*http://*", "*https://*", "*scrobj.dll*", "*/i:*") or
      (
        process.command_line : ("*\\Temp\\*", "*AppData*", "*Downloads*", "*Public*", "*Desktop*", "*ProgramData*") and
        process.parent.name : ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe", "cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe")
      ) or
      process.parent.name : ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe", "cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe")
    )
  ) or
  (
    process.parent.name : "regsvr32.exe" and
    process.name : ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "rundll32.exe", "net.exe", "certutil.exe")
  )
)
high severity high confidence

Detects suspicious regsvr32.exe execution patterns including Squiblydoo (remote SCT via HTTP/S), scrobj.dll loading for COM scriptlet execution, inline script flags (/i:), invocation from Office apps and script interpreters as parent processes, and regsvr32.exe spawning dangerous child processes. Covers both initial execution and post-exploitation child-spawn phases of T1218.010.

Data Sources

Elastic Endpoint SecurityWinlogbeat with SysmonElastic Agent (endpoint integration)

Required Tables

logs-endpoint.events.process-*winlogbeat-*.ds-logs-windows.sysmon_operational-*

False Positives & Tuning

  • IT administrators using regsvr32.exe to register or unregister legitimate COM/OCX components via command-line wrappers (cmd.exe, powershell.exe) during software deployment or OS hardening routines
  • Software installation packages (MSI, NSIS, Inno Setup) that spawn regsvr32.exe from cmd.exe or powershell.exe to register DLLs in AppData or ProgramData during first-run or setup
  • Developer workstations running build or test automation scripts via cscript.exe or wscript.exe that legitimately call regsvr32.exe to register in-development COM servers
Download portable Sigma rule (.yml)

Other platforms for T1218.010

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Squiblydoo - Regsvr32 Remote SCT Execution

    Expected signal: Sysmon Event ID 1: regsvr32.exe with /s /n /u /i: URL and scrobj.dll in command line. Sysmon Event ID 3: network connection attempt to 127.0.0.1:8080. Security Event ID 4688. Sysmon Event ID 7: scrobj.dll loaded by regsvr32.exe.

  2. Test 2Regsvr32 DLL Execution from Temp Directory

    Expected signal: Sysmon Event ID 11: DLL written to Temp. Sysmon Event ID 1: regsvr32.exe with /s and Temp path. Sysmon Event ID 7: DLL loaded by regsvr32.exe. Security Event ID 4688.

  3. Test 3Regsvr32 Launched from PowerShell Parent

    Expected signal: Sysmon Event ID 1: powershell.exe then regsvr32.exe with ParentImage=powershell.exe. SuspiciousParent fires. Security Event ID 4688 for both. Regsvr32 will fail (no valid DLL) but the process creation event fires.

Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1218.010 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1218System Binary Proxy Execution

Related Sub-techniques

T1218.001Compiled HTML FileT1218.002Control PanelT1218.003CMSTPT1218.004InstallUtilT1218.005MshtaT1218.007MsiexecT1218.008OdbcconfT1218.009Regsvcs/RegasmT1218.011Rundll32T1218.012VerclsidT1218.013MavinjectT1218.014MMCT1218.015Electron Applications

Related Techniques

T1218System Binary Proxy ExecutionT1546.015Component Object Model HijackingT1566.001Spearphishing AttachmentT1059.007JavaScriptT1059.005Visual BasicT1071.001Web ProtocolsT1218.008Odbcconf

Same Tactic: Defense Evasion

Popular Detections