T1218.010 Microsoft Sentinel · KQL

Detect Regsvr32 in Microsoft Sentinel

Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including DLLs, on Windows systems. The 'Squiblydoo' variation passes a URL to a remote COM scriptlet file (SCT) that executes without registry changes, making no persistent artifacts. This technique is widely used by QakBot, Emotet, Dridex, Valak, Astaroth, TA551, and many APTs including APT32, APT29, Kimsuky, Cobalt Group, Leviathan, and Storm-0501. It is one of the most abused LOLBins in the threat landscape.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1218 System Binary Proxy Execution
Sub-technique
T1218.010 Regsvr32
Canonical reference
https://attack.mitre.org/techniques/T1218/010/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let SuspiciousPatterns = dynamic(["http://", "https://", "scrobj.dll", "/s", "/u", "/i:"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "regsvr32.exe"
| extend RemoteSCT = ProcessCommandLine has_any ("http://", "https://")
| extend ScrObj = ProcessCommandLine has "scrobj.dll"
| extend UnregisterFlag = ProcessCommandLine has_any ("/u", "/unregister")
| extend SuspiciousPath = ProcessCommandLine has_any ("Temp", "AppData", "Downloads", "Public", "Desktop", "ProgramData")
| extend InlineScript = ProcessCommandLine has "/i:"
| extend SuspiciousParent = InitiatingProcessFileName has_any ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe", "cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| where RemoteSCT or ScrObj or (SuspiciousPath and SuspiciousParent) or SuspiciousParent
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName,
         InitiatingProcessCommandLine, RemoteSCT, ScrObj, UnregisterFlag, SuspiciousPath, InlineScript, SuspiciousParent
| sort by Timestamp desc
union (
  DeviceProcessEvents
  | where Timestamp > ago(24h)
  | where InitiatingProcessFileName =~ "regsvr32.exe"
  | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
           InitiatingProcessFileName, InitiatingProcessCommandLine
  | sort by Timestamp desc
)
high severity high confidence

Detects Regsvr32 abuse across the full attack surface: Squiblydoo pattern (remote HTTP URL for SCT loading), scrobj.dll usage for scriptlet execution, DLL loading from suspicious paths with suspicious parents, inline scriptlet invocation via /i:, and child process spawning. This covers QakBot, Emotet, APT patterns, and commodity malware.

Data Sources

Process: Process CreationCommand: Command ExecutionNetwork: Network ConnectionMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives & Tuning

  • Legitimate software installers that use regsvr32.exe to register DLLs and OCX files from Program Files directories
  • Windows Update and software deployment tools that register COM components via regsvr32.exe
  • Third-party software (printer drivers, codecs, ActiveX controls) that register DLLs via regsvr32.exe during installation
  • Enterprise software with custom COM components that are registered via automated deployment scripts
Download portable Sigma rule (.yml)

Other platforms for T1218.010

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Squiblydoo - Regsvr32 Remote SCT Execution

    Expected signal: Sysmon Event ID 1: regsvr32.exe with /s /n /u /i: URL and scrobj.dll in command line. Sysmon Event ID 3: network connection attempt to 127.0.0.1:8080. Security Event ID 4688. Sysmon Event ID 7: scrobj.dll loaded by regsvr32.exe.

  2. Test 2Regsvr32 DLL Execution from Temp Directory

    Expected signal: Sysmon Event ID 11: DLL written to Temp. Sysmon Event ID 1: regsvr32.exe with /s and Temp path. Sysmon Event ID 7: DLL loaded by regsvr32.exe. Security Event ID 4688.

  3. Test 3Regsvr32 Launched from PowerShell Parent

    Expected signal: Sysmon Event ID 1: powershell.exe then regsvr32.exe with ParentImage=powershell.exe. SuspiciousParent fires. Security Event ID 4688 for both. Regsvr32 will fail (no valid DLL) but the process creation event fires.

Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1218.010 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1218System Binary Proxy Execution

Related Sub-techniques

T1218.001Compiled HTML FileT1218.002Control PanelT1218.003CMSTPT1218.004InstallUtilT1218.005MshtaT1218.007MsiexecT1218.008OdbcconfT1218.009Regsvcs/RegasmT1218.011Rundll32T1218.012VerclsidT1218.013MavinjectT1218.014MMCT1218.015Electron Applications

Related Techniques

T1218System Binary Proxy ExecutionT1546.015Component Object Model HijackingT1566.001Spearphishing AttachmentT1059.007JavaScriptT1059.005Visual BasicT1071.001Web ProtocolsT1218.008Odbcconf

Same Tactic: Defense Evasion

Popular Detections