T1218.010 Splunk · SPL

Detect Regsvr32 in Splunk

Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including DLLs, on Windows systems. The 'Squiblydoo' variation passes a URL to a remote COM scriptlet file (SCT) that executes without registry changes, making no persistent artifacts. This technique is widely used by QakBot, Emotet, Dridex, Valak, Astaroth, TA551, and many APTs including APT32, APT29, Kimsuky, Cobalt Group, Leviathan, and Storm-0501. It is one of the most abused LOLBins in the threat landscape.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1218 System Binary Proxy Execution
Sub-technique
T1218.010 Regsvr32
Canonical reference
https://attack.mitre.org/techniques/T1218/010/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(Image="*\\regsvr32.exe" OR ParentImage="*\\regsvr32.exe")
| eval RemoteSCT=if(match(CommandLine, "http[s]?://"), 1, 0)
| eval ScrObj=if(match(CommandLine, "scrobj"), 1, 0)
| eval Unregister=if(match(CommandLine, "(/u|/unregister)"), 1, 0)
| eval SuspiciousPath=if(match(CommandLine, "(Temp|AppData|Downloads|Public|Desktop|ProgramData)"), 1, 0)
| eval InlineScript=if(match(CommandLine, "/i:"), 1, 0)
| eval OfficeParent=if(match(ParentImage, "(winword|excel|outlook|powerpnt)\.exe"), 1, 0)
| eval ScriptParent=if(match(ParentImage, "(cmd|powershell|wscript|cscript|mshta)\.exe"), 1, 0)
| eval SuspiciousChild=if(ParentImage="*\\regsvr32.exe" AND match(Image, "(cmd|powershell|wscript|cscript|rundll32|net|certutil)\.exe"), 1, 0)
| eval RiskScore=RemoteSCT + ScrObj + (SuspiciousPath * (OfficeParent + ScriptParent)) + InlineScript + OfficeParent + SuspiciousChild
| where RiskScore > 0 OR SuspiciousChild=1
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, RemoteSCT, ScrObj, Unregister, SuspiciousPath, InlineScript, OfficeParent, ScriptParent, SuspiciousChild, RiskScore
| sort - _time
high severity high confidence

Detects Regsvr32 abuse using Sysmon Event ID 1 with comprehensive scoring. Squiblydoo (remote SCT) and scrobj.dll patterns score immediately. Suspicious path only scores when combined with an Office or scripting parent, reducing false positives from legitimate installers. Child process creation from regsvr32 is unconditionally flagged.

Data Sources

Process: Process CreationCommand: Command ExecutionSysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Legitimate software installers that use regsvr32.exe to register DLLs and OCX files from Program Files directories
  • Windows Update and software deployment tools that register COM components via regsvr32.exe
  • Third-party software (printer drivers, codecs, ActiveX controls) that register DLLs via regsvr32.exe during installation
  • Enterprise software with custom COM components that are registered via automated deployment scripts
Download portable Sigma rule (.yml)

Other platforms for T1218.010

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Squiblydoo - Regsvr32 Remote SCT Execution

    Expected signal: Sysmon Event ID 1: regsvr32.exe with /s /n /u /i: URL and scrobj.dll in command line. Sysmon Event ID 3: network connection attempt to 127.0.0.1:8080. Security Event ID 4688. Sysmon Event ID 7: scrobj.dll loaded by regsvr32.exe.

  2. Test 2Regsvr32 DLL Execution from Temp Directory

    Expected signal: Sysmon Event ID 11: DLL written to Temp. Sysmon Event ID 1: regsvr32.exe with /s and Temp path. Sysmon Event ID 7: DLL loaded by regsvr32.exe. Security Event ID 4688.

  3. Test 3Regsvr32 Launched from PowerShell Parent

    Expected signal: Sysmon Event ID 1: powershell.exe then regsvr32.exe with ParentImage=powershell.exe. SuspiciousParent fires. Security Event ID 4688 for both. Regsvr32 will fail (no valid DLL) but the process creation event fires.

Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1218.010 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1218System Binary Proxy Execution

Related Sub-techniques

T1218.001Compiled HTML FileT1218.002Control PanelT1218.003CMSTPT1218.004InstallUtilT1218.005MshtaT1218.007MsiexecT1218.008OdbcconfT1218.009Regsvcs/RegasmT1218.011Rundll32T1218.012VerclsidT1218.013MavinjectT1218.014MMCT1218.015Electron Applications

Related Techniques

T1218System Binary Proxy ExecutionT1546.015Component Object Model HijackingT1566.001Spearphishing AttachmentT1059.007JavaScriptT1059.005Visual BasicT1071.001Web ProtocolsT1218.008Odbcconf

Same Tactic: Defense Evasion

Popular Detections