• QOMPLX Knowledge
  • May 10, 2021

QOMPLX Knowledge: Detecting Suspicious Use of Regsvr32

QOMPLX Knowledge: Detecting Suspicious Use of Regsvr32

This is the latest in a series of posts we call “QOMPLX Knowledge.” These posts are intended to provide basic information and insights about the attack activity and trends that are driving malicious campaigns and that QOMPLX researchers encounter in our forensic work with customers.

Cyber adversaries who compromise an IT environment are keen to avoid detection. One way they do that is by “living off the land.” That is: they use existing administrative tools, rather than external programs or malware. This helps them carry out their objectives within a compromised environment, blending in with normal network traffic and operations.

Organizations that want to spot and stop sophisticated cyber actors need to pay close attention to “dual use” applications that may be used both in legitimate and malicious activities. In this series we have talked about malicious activity linked to Microsoft’s PowerShell. Another common tool that is used is Regsvr32, a signed Microsoft binary that is bundled with Windows. Regsvr32 is a command line tool that is used to register and deregister Dynamic Link Libraries (DLLs). It is also, frequently, leveraged as part of malicious campaigns. However, detecting malicious use of these tools, apart from ordinary use, is a challenge for defender organizations.

In this post, we take a look at how QOMPLX’s technology helps customers spot patterns of behavior that may indicate malicious use of Regsvr32.

Key Points:

  • Monitoring for suspicious use of the Regsvr32 utility is an effective way to identify malicious actors or malicious applications at work in your environment.
  • Regsvr32 is often deployed by malicious actors to bypass application control features, for example: by loading COM scriptlets to execute DLLs under user permissions.
  • Defenders should monitor for the execution of regsvr32.exe and arguments passed to the utility, noting anomalous activity.
  • Windows Event ID 4688 captures any processes created with the command line, including Regsvr32.
  • QOMPLX’s Identity Assurance technology monitors Event ID 4688 and flags processes created with the command line that invoke regsrv32.exe along with suspicious parameters.

How Regsvr32 Is Abused by Malicious Actors

The Windows utility Regsvr32 is a popular method that malicious actors use to gain persistence within compromised environments. In particular, attackers using Regsvr32 for Signed Binary Proxy Execution (T1218) in which attackers seek to bypass application whitelists or signature-based defenses by proxying execution of malicious content with signed binaries, like Regsvr32.

The Advanced Persistent Threat Group APT 32 (G0050), for example, was observed creating a Scheduled Task within compromised environments that used regsvr32.exe to execute a COM scriptlet. That scriptlet dynamically downloaded a backdoor and injected it into memory on the host. Regsvr32 could also be used to run the backdoor once it was installed.

QOMPLX Detection

QOMPLX Identity Assurance monitors the Windows Security Log for Windows Event ID 4688  (a new process has been created) that invokes the Regsvr32 utility from the command line combination with suspicious parameters.

For example: regsrv32 execution with scrobj.dll (which executes .sct files) or with a URL as a parameter. Such behaviors may indicate that an attacker is attempting to download a file from the Internet and execute it.

Additional Reading

QOMPLX Knowledge: Detecting Account Name Enumeration

QOMPLX Knowledge: Detecting New Members Added To Sensitive Groups

QOMPLX Knowledge: Detecting Password Spraying Attacks

Q:CYBER Ingesting Windows Event Logs

Q:CYBER Using Windowed Rules for Advanced Detection

QOMPLX Knowledge: Golden Ticket Attacks Explained

QOMPLX Knowledge: Silver Ticket Attacks Explained

QOMPLX Knowledge: Responding to Golden Ticket Attacks

QOMPLX Knowledge: DCSync Attacks Explained

QOMPLX Knowledge: DCShadow Attacks Explained

QOMPLX Knowledge: Pass-the-Ticket Attacks Explained

QOMPLX Knowledge: Kerberoasting Attacks Explained

Understanding Zones and Zone Transfer

Security Monitoring Recommendations for Windows Event 4688

Detecting Lateral Movement Through Tracking Event Logs

You might also be interested in

Lessons from the Medibank breach

Lessons from the Medibank breach

Ming Fu, a member of the Americas Pre-Sales Engineering Team at QOMPLX, looks at the much publicized Medibank breach in Australia last year, and draws a few much needed lessons based on the published findings of this breach.

Read more
IcedID Malware Gaining Prominence by Adding Identity Attack Chains

IcedID Malware Gaining Prominence by Adding Identity Attack Chains

Brian Freedman, WW Director of Solution Architecture highlights how identity controls are necessary tools, along with EDR, to combat evolving malware threats that have been expanding to include identity compromise as a primary objective in their attack strategies.

Read more
QOMPLX Knowledge: OverPass The Hash Attacks

QOMPLX Knowledge: OverPass The Hash Attacks

OverPass The Hash (OPtH) is a form of credential theft- and reuse attack that is one of the most common methods of lateral movement within compromised IT environments.

Read more
Request a Demo

Interested in learning more?

Subscribe today to stay informed and get regular updates from QOMPLX.