detection.wiki

System Binary Proxy Execution: Regsvr32 T1218.010

Tactic: Stealth

Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. The Regsvr32.exe binary may also be signed by Microsoft.

Events covered

11 catalog events are tagged with this technique by at least one rule.

ProviderEventTitle
SysmonEvent ID 1Process creation
SysmonEvent ID 3Network connection
SysmonEvent ID 7Image loaded
SysmonEvent ID 12RegistryEvent (Object create and delete)
SysmonEvent ID 13RegistryEvent (Value Set)
SysmonEvent ID 22DNSEvent (DNS query)
Security-AuditingEvent ID 4688A new process has been created.
Defender-DeviceImageLoadEventsanyImage load (any)
Defender-DeviceProcessEventsanyProcess activity (any)
PowerShellEvent ID 4103Payload Context: ContextInfo User Data: UserData.
PowerShellEvent ID 4104Creating Scriptblock text (MessageNumber of MessageTotal).

Authoring guide

Patterns shared across the 50 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (28 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
CommandLine25contains 15, match 4, regex_match 3, ends_with 2, eq 1, in 1, is_null 1, wildcard 1(?i)(regsvr32), (?i)[\- | \/][Ss]{1}, (?i)\x5c(Temp|Appdata\x5cLocal|Users\x5cPublic), cscript, "c:\
process_name23eq 20, match 2, ne 1regsvr32.exe, bginfo.exe, arp.exe, atbroker.exe, cmd.exe
Image20ends_with 17, starts_with 2, wildcard 2, contains 1, eq 1\regsvr32.exe, \certutil.exe, \cmd.exe, \cscript.exe, ?:\users\*\appdata\*.exe
OriginalFileName17eq 15, in 2regsvr32.exe, cscript.exe, \regsvr32.exe, bitsadmin.exe, certoc.exe
event.type15eq 14, ne 1start, deletion
parent_process_name13eq 11, contains 2explorer.exe, cmd.exe, mshta.exe, cscript.exe, powershell.exe
ParentImage7ends_with 6, eq 2\eqnedt32.exe, \excel.exe, \msaccess.exe, ?:\program files (x86)\teamcity\jre\bin\java.exe, ?:\program files\teamcity\jre\bin\java.exe
process.args5eq 3, starts_with 2, wildcard 1C:\Intel\, &&, -n, 1>?:\*.js, 1>?:\*.vbs
EventID4eq 41, 4688
dc_process3lt 310, 30
DestinationPortName2eq 1, ne 1dns
EventType2eq 1, starts_with 1Image loaded, start
RemoteIPType2eq 2Public
Type2eq 2
dll.name2eq 2IEProxy.dll, scrobj.dll

Top indicator values (534 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
process_nameeq
regsvr32.exe
1625
process_nameeq
mshta.exe
931
process_nameeq
wscript.exe
929
process_nameeq
cmd.exe
877
process_nameeq
cscript.exe
825
process_nameeq
powershell.exe
8104
process_nameeq
installutil.exe
718
process_nameeq
regasm.exe
711
process_nameeq
regsvcs.exe
710
process_nameeq
rundll32.exe
760
process_nameeq
certutil.exe
622
process_nameeq
cmstp.exe
610
process_nameeq
ieexec.exe
68
process_nameeq
iexpress.exe
68
process_nameeq
microsoft.workflow.compiler.exe
68
process_nameeq
msxsl.exe
69
process_nameeq
pwsh.exe
662
process_nameeq
wmic.exe
647
process_nameeq
bginfo.exe
56
process_nameeq
bitsadmin.exe
514
process_nameeq
cdb.exe
57
process_nameeq
csi.exe
56
process_nameeq
dnx.exe
56
process_nameeq
fsi.exe
56
process_nameeq
odbcconf.exe
510
process_nameeq
ping.exe
59
process_nameeq
rcsi.exe
56
Imageends_with
\regsvr32.exe
1465
event.typeeq
start
14606
OriginalFileNameeq
regsvr32.exe
1126

Exclusions (241 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
process_nameeq
cmd.exe
3
process_nameeq
powershell.exe
2
process_nameeq
regsvr32.exe
2
process_nameeq
rundll32.exe
2
Imageends_with
\werfault.exe
2
user.ideq
S-1-5-18
2
CommandLinecontains
"c:\windows\
1
CommandLinecontains
'c:\windows\
1
CommandLinecontains
-n
1
CommandLinecontains
-u -p
1
CommandLinecontains
c:\windows\
1
CommandLinecontains
/i
1
CommandLinecontains
c:\program files (x86)\
1
CommandLinecontains
c:\program files\
1
CommandLinecontains
c:\programdata\
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Platform (all)
Domain (all)

Sigma 19 rules

Elastic 17 rules

Splunk 12 rules

Kusto 2 rules