Register to stream ATT&CKcon 2.0 October 29-30

Regsvr32

Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe can be used to execute arbitrary binaries. [1]

Adversaries may take advantage of this functionality to proxy execution of code to avoid triggering security tools that may not monitor execution of, and modules loaded by, the regsvr32.exe process because of whitelists or false positives from Windows using regsvr32.exe for normal operations. Regsvr32.exe is also a Microsoft signed binary.

Regsvr32.exe can also be used to specifically bypass process whitelisting using functionality to load COM scriptlets to execute DLLs under user permissions. Since regsvr32.exe is network and proxy aware, the scripts can be loaded by passing a uniform resource locator (URL) to file on an external Web server as an argument during invocation. This method makes no changes to the Registry as the COM object is not actually registered, only executed. [2] This variation of the technique is often referred to as a "Squiblydoo" attack and has been used in campaigns targeting governments. [3] [4]

Regsvr32.exe can also be leveraged to register a COM Object used to establish Persistence via Component Object Model Hijacking. [3]

ID: T1117
Tactic: Defense Evasion, Execution
Platform: Windows
Permissions Required: User, Administrator
Data Sources: Loaded DLLs, Process monitoring, Windows Registry, Process command-line parameters
Defense Bypassed: Process whitelisting, Anti-virus, Digital Certificate Validation
Contributors: Casey Smith
Version: 1.1

Procedure Examples

Name Description
APT19 APT19 used Regsvr32 to bypass application whitelisting techniques. [23]
APT32 APT32 created a Scheduled Task that used regsvr32.exe to execute a COM scriptlet that dynamically downloaded a backdoor and injected it into memory. The group has also used regsvr32 to run their backdoor. [20] [21] [22]
Astaroth Astaroth can be loaded through regsvr32.exe. [17]
Cobalt Group Cobalt Group has used regsvr32.exe to execute scripts. [24] [25] [26]
Deep Panda Deep Panda has used regsvr32.exe to execute a server variant of Derusbi in victim networks. [19]
Derusbi Derusbi variants have been seen that use Registry persistence to proxy execution through regsvr32.exe. [16]
Hi-Zor Hi-Zor executes using regsvr32.exe called from the Registry Run Keys / Startup Folder persistence mechanism. [14]
Koadic Koadic can use Regsvr32 to execute additional payloads. [12]
Leviathan Leviathan has used regsvr32 for execution. [13]
Orz Some Orz versions have an embedded DLL known as MockDll that uses Process Hollowing and regsvr32 to execute another payload. [13]
RogueRobin RogueRobin uses regsvr32.exe to run a .sct file for execution. [18]
WIRTE WIRTE has used Regsvr32.exe to trigger the execution of a malicious script. [27]
Xbash Xbash can use regsvr32 for executing scripts. [15]

Mitigations

Mitigation Description
Exploit Protection Microsoft's Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can be used to block regsvr32.exe from being used to bypass whitelisting. Identify and block potentially malicious software executed through regsvr32 functionality by using application whitelisting tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate. [5] [6] [7] [8] [9] [10] [11]

Detection

Use process monitoring to monitor the execution and arguments of regsvr32.exe. Compare recent invocations of regsvr32.exe with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Command arguments used before and after the regsvr32.exe invocation may also be useful in determining the origin and purpose of the script or DLL being loaded. [3]

References

  1. Microsoft. (2015, August 14). How to use the Regsvr32 tool and troubleshoot Regsvr32 error messages. Retrieved June 22, 2016.
  2. Smith, C. (2016, April 19). Bypass Application Whitelisting Script Protections - Regsvr32.exe & COM Scriptlets (.sct files). Retrieved June 30, 2017.
  3. Nolen, R. et al.. (2016, April 28). Threat Advisory: “Squiblydoo” Continues Trend of Attackers Using Native OS Tools to “Live off the Land”. Retrieved April 9, 2018.
  4. Anubhav, A., Kizhakkinan, D. (2017, February 22). Spear Phishing Techniques Used in Attacks Targeting the Mongolian Government. Retrieved February 24, 2017.
  5. National Security Agency. (2016, May 4). Secure Host Baseline EMET. Retrieved June 22, 2016.
  6. Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.
  7. Gorzelany, A., Hall, J., Poggemeyer, L.. (2019, January 7). Windows Defender Application Control. Retrieved July 16, 2019.
  8. Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
  9. NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.
  10. Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.
  11. Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.
  12. Magius, J., et al. (2017, July 19). Koadic. Retrieved June 18, 2018.
  13. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  14. Fidelis Cybersecurity. (2015, December 16). Fidelis Threat Advisory #1020: Dissecting the Malware Involved in the INOCNATION Campaign. Retrieved March 24, 2016.
  1. Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018.
  2. Fidelis Threat Research Team. (2016, May 2). Turbo Twist: Two 64-bit Derusbi Strains Converge. Retrieved August 16, 2018.
  3. Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019.
  4. Lee, B., Falcone, R. (2019, January 18). DarkHydrus delivers new Trojan that can use Google Drive for C2 communications. Retrieved April 17, 2019.
  5. RSA Incident Response. (2014, January). RSA Incident Response Emerging Threat Profile: Shell Crew. Retrieved January 14, 2016.
  6. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
  7. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  8. Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.
  9. Ahl, I. (2017, June 06). Privileges and Credentials: Phished at the Request of Counsel. Retrieved May 17, 2018.
  10. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.
  11. Gorelik, M. (2018, October 08). Cobalt Group 2.0. Retrieved November 5, 2018.
  12. Giagone, R., Bermejo, L., and Yarochkin, F. (2017, November 20). Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit Against Russian Banks. Retrieved March 7, 2019.
  13. S2 Grupo. (2019, April 2). WIRTE Group attacking the Middle East. Retrieved May 24, 2019.