{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/regsvr32/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["execution","defense evasion","windows","regsvr32"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may abuse native Windows registration utilities such as \u003ccode\u003eregsvr32.exe\u003c/code\u003e, \u003ccode\u003eRegAsm.exe\u003c/code\u003e, and \u003ccode\u003eRegSvcs.exe\u003c/code\u003e to execute malicious code and bypass security controls. These utilities are often used to register and unregister COM objects and .NET assemblies, but can also be leveraged to download and execute arbitrary scripts from remote locations. The behavior is commonly seen in post-exploitation scenarios. This activity can be used to bypass application allow lists and evade defenses. This behavior has been observed across multiple threat actors and attack campaigns, making it a reliable indicator of suspicious or malicious activity. This detection focuses on the network connection initiated by these utilities, highlighting potential misuse.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through various means, such as exploiting a vulnerability or using stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a registration utility (e.g., \u003ccode\u003eregsvr32.exe\u003c/code\u003e) to execute a malicious script or download a payload from a remote server.\u003c/li\u003e\n\u003cli\u003eThe registration utility makes an outbound network connection to a malicious server to download the payload.\u003c/li\u003e\n\u003cli\u003eThe downloaded payload is executed, potentially leading to further compromise of the system.\u003c/li\u003e\n\u003cli\u003eThe attacker performs reconnaissance on the compromised system to gather information about the environment.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally to other systems on the network, leveraging the compromised system as a pivot point.\u003c/li\u003e\n\u003cli\u003eThe attacker installs persistence mechanisms to maintain access to the compromised environment.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or deploys ransomware, depending on their objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution, allowing attackers to install malware, steal sensitive data, or disrupt business operations. The affected systems can be used as a beachhead for further attacks on the internal network, potentially leading to widespread compromise. The use of signed Microsoft binaries makes detection more challenging, as these tools are often trusted by default. While the risk_score is low at 21 and severity low, this is often related to initial access and could lead to high impact down the line.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation (Event ID 1) and network connection (Event ID 3) logging to ensure visibility into the execution of registration utilities and their network activity.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM to detect suspicious network connections initiated by \u003ccode\u003eregsvr32.exe\u003c/code\u003e, \u003ccode\u003eRegAsm.exe\u003c/code\u003e, and \u003ccode\u003eRegSvcs.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules, focusing on the command-line arguments used and the destination IP addresses.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the potential impact of a compromised system, restricting lateral movement.\u003c/li\u003e\n\u003cli\u003eMonitor for unexpected registry modifications associated with the execution of registration utilities, as these can indicate persistence mechanisms.\u003c/li\u003e\n\u003cli\u003eReview and update application allow lists to ensure that only authorized uses of registration utilities are permitted.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-regsvr-network-connection/","summary":"The native Windows tools regsvr32.exe, regsvr64.exe, RegSvcs.exe, or RegAsm.exe making a network connection may indicate an attacker bypassing allowlists or running arbitrary scripts via a signed Microsoft binary.","title":"Suspicious Network Connection via Registration Utility","url":"https://feed.craftedsignal.io/briefs/2024-01-regsvr-network-connection/"},{"_cs_actors":["Remcos","njRAT"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["lolbin","dll-loading","regsvr32"],"_cs_type":"threat","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThis threat brief focuses on the abuse of \u003ccode\u003eregsvr32.exe\u003c/code\u003e, a legitimate Microsoft Windows utility, to load and execute malicious DLLs. Attackers, including those using Remote Access Trojans (RATs) like Remcos and njRAT, leverage \u003ccode\u003eregsvr32.exe\u003c/code\u003e with the \u003ccode\u003e/s\u003c/code\u003e (silent) parameter and the \u003ccode\u003eDLLInstall\u003c/code\u003e function call. The activity is observed by analyzing process command-line arguments and parent process details from Endpoint Detection and Response (EDR) agents. This technique allows attackers to bypass application whitelisting and execute arbitrary code, maintain persistence, and compromise the system further. The detection described was published in splunk-escu on 2026-05-04.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access via an unknown vector (e.g., phishing, exploit).\u003c/li\u003e\n\u003cli\u003eThe attacker deploys a malicious DLL on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003eregsvr32.exe\u003c/code\u003e with the \u003ccode\u003e/s\u003c/code\u003e (silent) parameter and the \u003ccode\u003eDLLInstall\u003c/code\u003e function, for example: \u003ccode\u003eregsvr32.exe /s /i:DLLInstall \u0026lt;malicious_dll_path\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eRegsvr32.exe\u003c/code\u003e loads the specified DLL.\u003c/li\u003e\n\u003cli\u003eThe DLLInstall function within the DLL executes, performing malicious actions. This could involve installing services, modifying registry keys, or injecting code into other processes.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence through registry modifications or scheduled tasks created by the DLL.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary commands on the system, potentially installing additional malware or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data theft, system disruption, or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can allow attackers to execute arbitrary code, bypass application whitelisting, and establish persistence on compromised systems. This can lead to data theft, system disruption, or ransomware deployment. The affected systems can be remotely controlled by the attacker, enabling further lateral movement within the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eRegsvr32 Silent and Install Param Dll Loading\u003c/code\u003e to detect instances of \u003ccode\u003eregsvr32.exe\u003c/code\u003e being used with the \u003ccode\u003e/s\u003c/code\u003e and \u003ccode\u003e/i\u003c/code\u003e parameters.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) and Windows Event Log Security Auditing (Event ID 4688) to capture the necessary process and command-line information.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003eregsvr32.exe\u003c/code\u003e execution with the silent and DLLInstall parameters, paying close attention to the parent process and the DLL being loaded.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of \u003ccode\u003eregsvr32.exe\u003c/code\u003e or other LOLBins from untrusted locations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-regsvr32-dll-loading/","summary":"Detection of regsvr32.exe being used with the silent and DLL install parameter to load a DLL, a technique used by RATs like Remcos and njRAT to execute arbitrary code.","title":"Regsvr32 Silent and Install Parameter DLL Loading","url":"https://feed.craftedsignal.io/briefs/2024-01-03-regsvr32-dll-loading/"}],"language":"en","title":"CraftedSignal Threat Feed — Regsvr32","version":"https://jsonfeed.org/version/1.1"}