Threat Watch

Malicious Documents Serve Regsvr32.exe Execution

Researchers at Uptycs labs have documented an increase in regsvr32 execution via malicious documents in the recent months. The research team observed over 500 samples using regsvr32.exe to register .ocx files, using similar commands as the example below:

  • regsvr32 -e -n -i:&Tiposa!G22&  C:\\ProgramData\\Dotr4.ocx

Regsvr32 can be used for loading COM scriptlets to execute DLLs without making changes to the Registry as the COM object is not actually registered but executed. This technique is also known as the Squiblydoo technique allowing the bypass of application whitelisting.

Subscribe to Threat Watch

Daily summaries of threats, delivered straight to your inbox!


Click Here to Subscribe to Threat Watch

ANALYST NOTES

There are well-defined characteristics at runtime for normal usage of regsvr32. Those patterns, along with monitoring activity around the Registry, allow for greater chance of detection almost immediately after the document lands on an endpoint. Uptycs researchers provided two queries for their platform that can assist with developing detections.
• Select * from process_events where ( path like ‘%System32\regsvr32.exe’ or path like ‘%System32\regsvr32.exe’ ) and (( cmdline like ‘%-i%’ or cmdline like ‘%/i%’ ) and (cmdline like ‘%.ocx%’ or cmdline like ‘%scrobj.dll%’))

• Select * from process_events where ( path like ‘%System32\regsvr32.exe’ or path like ‘%System32\regsvr32.exe’ ) and (ancestor_list like ‘%WINWORD.EXE%’ OR ancestor_list like ‘%POWERPNT.EXE%’ OR ancestor_list like ‘%EXCEL.EXE%’ OR ancestor_list like ‘%powershell.exe%’)

https://www.uptycs.com/blog/attackers-increasingly-adopting-regsvr32-utility-execution-via-office-documents

Facebook Twitter Instagram Youtube Linkedin
Solutions
Become a Reseller

Industries

Resources

About

Contact Us
Contact Support