Regsvr32 (533d2c42-45a7-456e-af75-b61e2aff98a7)
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Used by Windows to register dlls
Author: Oddvar Moe
Paths: * C:\Windows\System32\regsvr32.exe * C:\Windows\SysWOW64\regsvr32.exe
Resources: * https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/ * https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ * https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md
Detection: * Sigma: proc_creation_win_regsvr32_susp_parent.yml * Sigma: proc_creation_win_regsvr32_susp_child_process.yml * Sigma: proc_creation_win_regsvr32_susp_exec_path_1.yml * Sigma: proc_creation_win_regsvr32_network_pattern.yml * Sigma: net_connection_win_regsvr32_network_activity.yml * Sigma: dns_query_win_regsvr32_network_activity.yml * Sigma: proc_creation_win_regsvr32_flags_anomaly.yml * Sigma: file_event_win_net_cli_artefact.yml * Splunk: detect_regsvr32_application_control_bypass.yml * Elastic: defense_evasion_suspicious_managedcode_host_process.toml * Elastic: execution_register_server_program_connecting_to_the_internet.toml * IOC: regsvr32.exe retrieving files from Internet * IOC: regsvr32.exe executing scriptlet (sct) files * IOC: DotNet CLR libraries loaded into regsvr32.exe * IOC: DotNet CLR Usage Log - regsvr32.exe.log[LOLBAS Regsvr32]