title: Regsvr32 (T1218.010)
id: df00tech-t1218-010
status: experimental
description: "Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including DLLs, on Windows systems. The 'Squiblydoo' variation passes a URL to a remote COM scriptlet file (SCT) that executes without registry changes, making no persistent artifacts. This technique is widely used by QakBot, Emotet, Dridex, Valak, Astaroth, TA551, and many APTs including APT32, APT29, Kimsuky, Cobalt Group, Leviathan, and Storm-0501. It is one of the most abused LOLBins in the threat landscape."
references:
  - https://attack.mitre.org/techniques/T1218/010/
  - https://df00tech.com/detections/T1218.010
author: df00tech
date: 2026/04/13
tags:
  - attack.t1218.010
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate software installers that use regsvr32.exe to register DLLs and OCX files from Program Files directories
  - Windows Update and software deployment tools that register COM components via regsvr32.exe
  - "Third-party software (printer drivers, codecs, ActiveX controls) that register DLLs via regsvr32.exe during installation"
  - Enterprise software with custom COM components that are registered via automated deployment scripts
level: high