T1218.010 Sumo Logic CSE · Sumo

Detect Regsvr32 in Sumo Logic CSE

Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including DLLs, on Windows systems. The 'Squiblydoo' variation passes a URL to a remote COM scriptlet file (SCT) that executes without registry changes, making no persistent artifacts. This technique is widely used by QakBot, Emotet, Dridex, Valak, Astaroth, TA551, and many APTs including APT32, APT29, Kimsuky, Cobalt Group, Leviathan, and Storm-0501. It is one of the most abused LOLBins in the threat landscape.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1218 System Binary Proxy Execution
Sub-technique
T1218.010 Regsvr32
Canonical reference
https://attack.mitre.org/techniques/T1218/010/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*endpoint*
| where EventID = "1" or EventCode = "1"
| parse regex "(?s)Image:\s*(?<Image>[^\r\n]+)" nodrop
| parse regex "(?s)CommandLine:\s*(?<CommandLine>[^\r\n]+)" nodrop
| parse regex "(?s)ParentImage:\s*(?<ParentImage>[^\r\n]+)" nodrop
| parse regex "(?s)ParentCommandLine:\s*(?<ParentCommandLine>[^\r\n]+)" nodrop
| parse regex "(?s)User:\s*(?<User>[^\r\n]+)" nodrop
| parse regex "(?s)Computer:\s*(?<Computer>[^\r\n]+)" nodrop
| where Image matches "*\\regsvr32.exe" or ParentImage matches "*\\regsvr32.exe"
| eval remoteSCT = if(CommandLine matches "(?i)https?://", 1, 0)
| eval scrObj = if(CommandLine matches "(?i)scrobj", 1, 0)
| eval inlineScript = if(CommandLine matches "(?i)/i:", 1, 0)
| eval suspiciousPath = if(CommandLine matches "(?i)(temp|appdata|downloads|public|desktop|programdata)", 1, 0)
| eval officeParent = if(ParentImage matches "(?i)(winword|excel|outlook|powerpnt)\.exe", 1, 0)
| eval scriptParent = if(ParentImage matches "(?i)(cmd|powershell|wscript|cscript|mshta)\.exe", 1, 0)
| eval suspiciousChild = if(ParentImage matches "(?i)\\regsvr32\.exe" and Image matches "(?i)(cmd|powershell|wscript|cscript|rundll32|net|certutil)\.exe", 1, 0)
| eval riskScore = remoteSCT + scrObj + inlineScript + (suspiciousPath * (officeParent + scriptParent)) + officeParent + scriptParent + suspiciousChild
| where riskScore > 0 or suspiciousChild = 1
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, remoteSCT, scrObj, inlineScript, suspiciousPath, officeParent, scriptParent, suspiciousChild, riskScore
| sort by _messageTime desc
high severity high confidence

Sumo Logic detection for regsvr32.exe abuse using Sysmon EventID 1 (Process Create) log data. Parses structured Sysmon fields from raw log messages and applies weighted risk scoring across Squiblydoo remote SCT indicators, scrobj.dll usage, inline script flags, suspicious Office and script-host parent processes, and dangerous child processes spawned by regsvr32.exe. Risk score logic mirrors the SPL detection for parity.

Data Sources

Sumo Logic Log AnalyticsSysmon for Windows (EventID 1)Windows Event Forwarding

Required Tables

_sourceCategory=*windows*_sourceCategory=*sysmon*

False Positives & Tuning

  • Legitimate software packaging workflows that stage DLLs in AppData or Temp directories and then register them via regsvr32.exe, triggering the suspicious-path heuristic without malicious intent
  • Enterprise endpoint management tools (PDQ Deploy, Altiris, Ansible WinRM) that orchestrate regsvr32.exe calls through cmd.exe or powershell.exe as part of application rollouts
  • Developers on build servers running test harnesses via cscript.exe or wscript.exe that legitimately invoke regsvr32.exe to register COM servers during integration testing
Download portable Sigma rule (.yml)

Other platforms for T1218.010

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Squiblydoo - Regsvr32 Remote SCT Execution

    Expected signal: Sysmon Event ID 1: regsvr32.exe with /s /n /u /i: URL and scrobj.dll in command line. Sysmon Event ID 3: network connection attempt to 127.0.0.1:8080. Security Event ID 4688. Sysmon Event ID 7: scrobj.dll loaded by regsvr32.exe.

  2. Test 2Regsvr32 DLL Execution from Temp Directory

    Expected signal: Sysmon Event ID 11: DLL written to Temp. Sysmon Event ID 1: regsvr32.exe with /s and Temp path. Sysmon Event ID 7: DLL loaded by regsvr32.exe. Security Event ID 4688.

  3. Test 3Regsvr32 Launched from PowerShell Parent

    Expected signal: Sysmon Event ID 1: powershell.exe then regsvr32.exe with ParentImage=powershell.exe. SuspiciousParent fires. Security Event ID 4688 for both. Regsvr32 will fail (no valid DLL) but the process creation event fires.

Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1218.010 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1218System Binary Proxy Execution

Related Sub-techniques

T1218.001Compiled HTML FileT1218.002Control PanelT1218.003CMSTPT1218.004InstallUtilT1218.005MshtaT1218.007MsiexecT1218.008OdbcconfT1218.009Regsvcs/RegasmT1218.011Rundll32T1218.012VerclsidT1218.013MavinjectT1218.014MMCT1218.015Electron Applications

Related Techniques

T1218System Binary Proxy ExecutionT1546.015Component Object Model HijackingT1566.001Spearphishing AttachmentT1059.007JavaScriptT1059.005Visual BasicT1071.001Web ProtocolsT1218.008Odbcconf

Same Tactic: Defense Evasion

Popular Detections