Researchers at Uptycs labs have documented an increase in regsvr32 execution via malicious documents in the recent months. The research team observed over 500 samples using regsvr32.exe to register .ocx files, using similar commands as the example below:
- regsvr32 -e -n -i:&Tiposa!G22& C:\ProgramData\Dotr4.ocx
Regsvr32 can be used for loading COM scriptlets to execute DLLs without making changes to the Registry as the COM object is not actually registered but executed. This technique is also known as the Squiblydoo technique allowing the bypass of application whitelisting.
There are well-defined characteristics at runtime for normal usage of regsvr32. Those patterns, along with monitoring activity around the Registry, allow for greater chance of detection almost immediately after the document lands on an endpoint. Uptycs researchers provided two queries for their platform that can assist with developing detections.
• Select * from process_events where ( path like ‘%System32regsvr32.exe’ or path like ‘%System32regsvr32.exe’ ) and (( cmdline like ‘%-i%’ or cmdline like ‘%/i%’ ) and (cmdline like ‘%.ocx%’ or cmdline like ‘%scrobj.dll%’))
• Select * from process_events where ( path like ‘%System32regsvr32.exe’ or path like ‘%System32regsvr32.exe’ ) and (ancestor_list like ‘%WINWORD.EXE%’ OR ancestor_list like ‘%POWERPNT.EXE%’ OR ancestor_list like ‘%EXCEL.EXE%’ OR ancestor_list like ‘%powershell.exe%’)