Tag

Regsvr32

2 briefs RSS

Suspicious Network Connection via Registration Utility

The native Windows tools regsvr32.exe, regsvr64.exe, RegSvcs.exe, or RegAsm.exe making a network connection may indicate an attacker bypassing allowlists or running arbitrary scripts via a signed Microsoft binary.

Windows execution defense evasion regsvr32

2r 4t Jan 3, 2024

high threat

Regsvr32 Silent and Install Parameter DLL Loading

2 rules 2 TTPs

Detection of regsvr32.exe being used with the silent and DLL install parameter to load a DLL, a technique used by RATs like Remcos and njRAT to execute arbitrary code.

Splunk Enterprise +2 Remcos +1 lolbin dll-loading regsvr32

2r 2t Jan 3, 2024