Detect Regsvr32 in CrowdStrike LogScale
Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including DLLs, on Windows systems. The 'Squiblydoo' variation passes a URL to a remote COM scriptlet file (SCT) that executes without registry changes, making no persistent artifacts. This technique is widely used by QakBot, Emotet, Dridex, Valak, Astaroth, TA551, and many APTs including APT32, APT29, Kimsuky, Cobalt Group, Leviathan, and Storm-0501. It is one of the most abused LOLBins in the threat landscape.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1218 System Binary Proxy Execution
- Sub-technique
- T1218.010 Regsvr32
- Canonical reference
- https://attack.mitre.org/techniques/T1218/010/
LogScale Detection Query
#event_simpleName=ProcessRollup2
| FileName=/(?i)^regsvr32\.exe$/ OR ParentBaseFileName=/(?i)^regsvr32\.exe$/
| RemoteSCT := match(field=CommandLine, regex="(?i)https?://")
| ScrObj := match(field=CommandLine, regex="(?i)scrobj")
| InlineScript := match(field=CommandLine, regex="(?i)/i:")
| SuspiciousPath := match(field=CommandLine, regex="(?i)(temp|appdata|downloads|public|desktop|programdata)")
| SuspiciousParent := match(field=ParentBaseFileName, regex="(?i)(winword|excel|outlook|powerpnt|cmd|powershell|wscript|cscript|mshta)\.exe")
| IsRegParent := match(field=ParentBaseFileName, regex="(?i)^regsvr32\.exe$")
| IsSuspiciousChild := match(field=FileName, regex="(?i)^(cmd|powershell|wscript|cscript|rundll32|net|certutil)\.exe$")
| SuspiciousChild := if(IsRegParent and IsSuspiciousChild, then="true", else="false")
| RiskScore := if(RemoteSCT, then=1, else=0) + if(ScrObj, then=1, else=0) + if(InlineScript, then=1, else=0) + if(SuspiciousParent, then=1, else=0) + if(SuspiciousChild="true", then=1, else=0)
| RiskScore > 0 OR SuspiciousChild = "true"
| table([@timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, RemoteSCT, ScrObj, InlineScript, SuspiciousPath, SuspiciousParent, SuspiciousChild, RiskScore], sortby=@timestamp, order=desc)CrowdStrike Falcon LogScale (CQL) detection for regsvr32.exe abuse using ProcessRollup2 sensor events. Applies regex matching across command-line indicators (remote HTTP/S URLs for Squiblydoo, scrobj.dll, /i: inline script), suspicious parent process detection (Office apps and script hosts), and identification of dangerous child processes spawned by a regsvr32.exe parent. Risk scoring mirrors the SPL detection methodology to support analyst triage and prioritisation.
Data Sources
Required Tables
False Positives & Tuning
- Falcon-monitored endpoints running enterprise software deployment tools (SCCM, Intune, PDQ Deploy) that wrap regsvr32.exe calls inside powershell.exe or cmd.exe for COM component registration during managed rollouts
- Software build servers where CI/CD pipelines invoke regsvr32.exe through script host parents (wscript.exe, cscript.exe) to register in-development COM automation servers during integration builds
- Managed service provider (MSP) remote administration scripts that orchestrate regsvr32.exe calls via script interpreters to configure client environments, triggering the suspicious-parent heuristic
Other platforms for T1218.010
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Squiblydoo - Regsvr32 Remote SCT Execution
Expected signal: Sysmon Event ID 1: regsvr32.exe with /s /n /u /i: URL and scrobj.dll in command line. Sysmon Event ID 3: network connection attempt to 127.0.0.1:8080. Security Event ID 4688. Sysmon Event ID 7: scrobj.dll loaded by regsvr32.exe.
- Test 2Regsvr32 DLL Execution from Temp Directory
Expected signal: Sysmon Event ID 11: DLL written to Temp. Sysmon Event ID 1: regsvr32.exe with /s and Temp path. Sysmon Event ID 7: DLL loaded by regsvr32.exe. Security Event ID 4688.
- Test 3Regsvr32 Launched from PowerShell Parent
Expected signal: Sysmon Event ID 1: powershell.exe then regsvr32.exe with ParentImage=powershell.exe. SuspiciousParent fires. Security Event ID 4688 for both. Regsvr32 will fail (no valid DLL) but the process creation event fires.
References (6)
- https://attack.mitre.org/techniques/T1218/010/
- https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/
- https://www.carbonblack.com/2016/04/28/threat-advisory-squiblydoo-continues-trend-of-attackers-using-native-os-tools-to-live-off-the-land/
- https://www.fireeye.com/blog/threat-research/2017/02/spear_phishing_techn.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md
- https://support.microsoft.com/en-us/kb/249873
Unlock Pro Content
Get the full detection package for T1218.010 including response playbook, investigation guide, and atomic red team tests.