Attack Chain

1. An attacker gains initial access via an unknown vector (e.g., phishing, exploit).
2. The attacker deploys a malicious DLL on the compromised system.
3. The attacker executes regsvr32.exe with the /s (silent) parameter and the DLLInstall function, for example: regsvr32.exe /s /i:DLLInstall <malicious_dll_path>.
4. Regsvr32.exe loads the specified DLL.
5. The DLLInstall function within the DLL executes, performing malicious actions. This could involve installing services, modifying registry keys, or injecting code into other processes.
6. The attacker establishes persistence through registry modifications or scheduled tasks created by the DLL.
7. The attacker executes arbitrary commands on the system, potentially installing additional malware or exfiltrating data.
8. The attacker achieves their final objective, such as data theft, system disruption, or ransomware deployment.

Impact

Successful exploitation can allow attackers to execute arbitrary code, bypass application whitelisting, and establish persistence on compromised systems. This can lead to data theft, system disruption, or ransomware deployment. The affected systems can be remotely controlled by the attacker, enabling further lateral movement within the network.

Recommendation

• Deploy the Sigma rule Regsvr32 Silent and Install Param Dll Loading to detect instances of regsvr32.exe being used with the /s and /i parameters.
• Enable Sysmon process creation logging (Event ID 1) and Windows Event Log Security Auditing (Event ID 4688) to capture the necessary process and command-line information.
• Investigate any instances of regsvr32.exe execution with the silent and DLLInstall parameters, paying close attention to the parent process and the DLL being loaded.
• Implement application control policies to restrict the execution of regsvr32.exe or other LOLBins from untrusted locations.