{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/actors/njrat/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["Remcos","njRAT"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["lolbin","dll-loading","regsvr32"],"_cs_type":"threat","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThis threat brief focuses on the abuse of \u003ccode\u003eregsvr32.exe\u003c/code\u003e, a legitimate Microsoft Windows utility, to load and execute malicious DLLs. Attackers, including those using Remote Access Trojans (RATs) like Remcos and njRAT, leverage \u003ccode\u003eregsvr32.exe\u003c/code\u003e with the \u003ccode\u003e/s\u003c/code\u003e (silent) parameter and the \u003ccode\u003eDLLInstall\u003c/code\u003e function call. The activity is observed by analyzing process command-line arguments and parent process details from Endpoint Detection and Response (EDR) agents. This technique allows attackers to bypass application whitelisting and execute arbitrary code, maintain persistence, and compromise the system further. The detection described was published in splunk-escu on 2026-05-04.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access via an unknown vector (e.g., phishing, exploit).\u003c/li\u003e\n\u003cli\u003eThe attacker deploys a malicious DLL on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003eregsvr32.exe\u003c/code\u003e with the \u003ccode\u003e/s\u003c/code\u003e (silent) parameter and the \u003ccode\u003eDLLInstall\u003c/code\u003e function, for example: \u003ccode\u003eregsvr32.exe /s /i:DLLInstall \u0026lt;malicious_dll_path\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eRegsvr32.exe\u003c/code\u003e loads the specified DLL.\u003c/li\u003e\n\u003cli\u003eThe DLLInstall function within the DLL executes, performing malicious actions. This could involve installing services, modifying registry keys, or injecting code into other processes.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence through registry modifications or scheduled tasks created by the DLL.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary commands on the system, potentially installing additional malware or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data theft, system disruption, or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can allow attackers to execute arbitrary code, bypass application whitelisting, and establish persistence on compromised systems. This can lead to data theft, system disruption, or ransomware deployment. The affected systems can be remotely controlled by the attacker, enabling further lateral movement within the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eRegsvr32 Silent and Install Param Dll Loading\u003c/code\u003e to detect instances of \u003ccode\u003eregsvr32.exe\u003c/code\u003e being used with the \u003ccode\u003e/s\u003c/code\u003e and \u003ccode\u003e/i\u003c/code\u003e parameters.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) and Windows Event Log Security Auditing (Event ID 4688) to capture the necessary process and command-line information.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003eregsvr32.exe\u003c/code\u003e execution with the silent and DLLInstall parameters, paying close attention to the parent process and the DLL being loaded.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of \u003ccode\u003eregsvr32.exe\u003c/code\u003e or other LOLBins from untrusted locations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-regsvr32-dll-loading/","summary":"Detection of regsvr32.exe being used with the silent and DLL install parameter to load a DLL, a technique used by RATs like Remcos and njRAT to execute arbitrary code.","title":"Regsvr32 Silent and Install Parameter DLL Loading","url":"https://feed.craftedsignal.io/briefs/2024-01-03-regsvr32-dll-loading/"}],"language":"en","title":"CraftedSignal Threat Feed — NjRAT","version":"https://jsonfeed.org/version/1.1"}