This is the latest in a series of posts we call “QOMPLX Knowledge.” These posts are intended to provide basic information and insights about the attack activity and trends that are driving malicious campaigns and that QOMPLX researchers encounter in our forensic work with customers.
Cyber adversaries who compromise an IT environment are keen to avoid detection. One way they do that is by “living off the land.” That is: they use existing administrative tools, rather than external programs or malware. This helps them carry out their objectives within a compromised environment, blending in with normal network traffic and operations.
Organizations that want to spot and stop sophisticated cyber actors need to pay close attention to “dual use” applications that may be used both in legitimate and malicious activities. In this series we have talked about malicious activity linked to Microsoft’s PowerShell. Another common tool that is used is Regsvr32, a signed Microsoft binary that is bundled with Windows. Regsvr32 is a command line tool that is used to register and deregister Dynamic Link Libraries (DLLs). It is also, frequently, leveraged as part of malicious campaigns. However, detecting malicious use of these tools, apart from ordinary use, is a challenge for defender organizations.
In this post, we take a look at how QOMPLX’s technology helps customers spot patterns of behavior that may indicate malicious use of Regsvr32.
- Monitoring for suspicious use of the Regsvr32 utility is an effective way to identify malicious actors or malicious applications at work in your environment.
- Regsvr32 is often deployed by malicious actors to bypass application control features, for example: by loading COM scriptlets to execute DLLs under user permissions.
- Defenders should monitor for the execution of regsvr32.exe and arguments passed to the utility, noting anomalous activity.
- Windows Event ID 4688 captures any processes created with the command line, including Regsvr32.
- QOMPLX’s Identity Assurance technology monitors Event ID 4688 and flags processes created with the command line that invoke regsrv32.exe along with suspicious parameters.
How Regsvr32 Is Abused by Malicious Actors
The Windows utility Regsvr32 is a popular method that malicious actors use to gain persistence within compromised environments. In particular, attackers using Regsvr32 for Signed Binary Proxy Execution (T1218) in which attackers seek to bypass application whitelists or signature-based defenses by proxying execution of malicious content with signed binaries, like Regsvr32.
The Advanced Persistent Threat Group APT 32 (G0050), for example, was observed creating a Scheduled Task within compromised environments that used regsvr32.exe to execute a COM scriptlet. That scriptlet dynamically downloaded a backdoor and injected it into memory on the host. Regsvr32 could also be used to run the backdoor once it was installed.
QOMPLX Identity Assurance monitors the Windows Security Log for Windows Event ID 4688 (a new process has been created) that invokes the Regsvr32 utility from the command line combination with suspicious parameters.
For example: regsrv32 execution with scrobj.dll (which executes .sct files) or with a URL as a parameter. Such behaviors may indicate that an attacker is attempting to download a file from the Internet and execute it.