Description
Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. The Regsvr32.exe binary may also be signed by Microsoft. (Citation: Microsoft Regsvr32)
Malicious usage of Regsvr32.exe may avoid triggering security tools that may not monitor execution of, and modules loaded by, the regsvr32.exe process because of allowlists or false positives from Windows using regsvr32.exe for normal operations. Regsvr32.exe can also be used to specifically bypass application control using functionality to load COM scriptlets to execute DLLs under user permissions. Since Regsvr32.exe is network and proxy aware, the scripts can be loaded by passing a uniform resource locator (URL) to file on an external Web server as an argument during invocation. This method makes no changes to the Registry as the COM object is not actually registered, only executed. (Citation: LOLBAS Regsvr32) This variation of the technique is often referred to as a "Squiblydoo" and has been used in campaigns targeting governments. (Citation: Carbon Black Squiblydoo Apr 2016) (Citation: FireEye Regsvr32 Targeting Mongolian Gov)
Regsvr32.exe can also be leveraged to register a COM Object used to establish persistence via Component Object Model Hijacking. (Citation: Carbon Black Squiblydoo Apr 2016)
Platforms
Mitigations (1)
Exploit ProtectionM1050
Microsoft's Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can be used to block regsvr32.exe from being used to bypass application control. (Citation: Secure Host Baseline EMET) Identify and block potentially malicious software executed through regsvr32 functionality by using application control (Citation: Beechey 2010) tools, like Windows Defender Application
Threat Groups (11)
| ID | Group | Context |
|---|---|---|
| G0127 | TA551 | [TA551](https://attack.mitre.org/groups/G0127) has used regsvr32.exe to load malicious DLLs.(Citation: Unit 42 Valak July 2020) |
| G0009 | Deep Panda | [Deep Panda](https://attack.mitre.org/groups/G0009) has used regsvr32.exe to execute a server variant of [Derusbi](https://attack.mitre.org/software/S... |
| G0080 | Cobalt Group | [Cobalt Group](https://attack.mitre.org/groups/G0080) has used regsvr32.exe to execute scripts.(Citation: Talos Cobalt Group July 2018)(Citation: Morp... |
| G1053 | Storm-0501 | [Storm-0501](https://attack.mitre.org/groups/G1053) has launched [Cobalt Strike](https://attack.mitre.org/software/S0154) Beacon files using regsvr32.... |
| G0108 | Blue Mockingbird | [Blue Mockingbird](https://attack.mitre.org/groups/G0108) has executed custom-compiled XMRIG miner DLLs using regsvr32.exe.(Citation: RedCanary Mockin... |
| G0065 | Leviathan | [Leviathan](https://attack.mitre.org/groups/G0065) has used regsvr32 for execution.(Citation: Proofpoint Leviathan Oct 2017) |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has executed malware with <code>regsvr32s</code>.(Citation: Gen Digital Kimsuky HTTPTroy October 2025... |
| G0100 | Inception | [Inception](https://attack.mitre.org/groups/G0100) has ensured persistence at system boot by setting the value <code>regsvr32 %path%\ctfmonrn.dll /s</... |
| G0090 | WIRTE | [WIRTE](https://attack.mitre.org/groups/G0090) has used `regsvr32.exe` to trigger the execution of a malicious script.(Citation: Lab52 WIRTE Apr 2019) |
| G0050 | APT32 | [APT32](https://attack.mitre.org/groups/G0050) created a [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053) that used regsvr32.exe to exe... |
| G0073 | APT19 | [APT19](https://attack.mitre.org/groups/G0073) used Regsvr32 to bypass application control techniques.(Citation: FireEye APT19) |
Associated Software (23)
| ID | Name | Type | Context |
|---|---|---|---|
| S1018 | Saint Bot | Malware | [Saint Bot](https://attack.mitre.org/software/S1018) has used `regsvr32` to execute scripts.(Citation: Malwarebytes Saint Bot April 2021)(Citation: Pa... |
| S0650 | QakBot | Malware | [QakBot](https://attack.mitre.org/software/S0650) can use Regsvr32 to execute malicious DLLs.(Citation: Red Canary Qbot)(Citation: Cyberint Qakbot May... |
| S0367 | Emotet | Malware | [Emotet](https://attack.mitre.org/software/S0367) uses RegSvr32 to execute the DLL payload.(Citation: emotet_trendmicro_mar2023) |
| S0229 | Orz | Malware | Some [Orz](https://attack.mitre.org/software/S0229) versions have an embedded DLL known as MockDll that uses [Process Hollowing](https://attack.mitre.... |
| S0250 | Koadic | Tool | [Koadic](https://attack.mitre.org/software/S0250) can use Regsvr32 to execute additional payloads.(Citation: Github Koadic) |
| S0476 | Valak | Malware | [Valak](https://attack.mitre.org/software/S0476) has used <code>regsvr32.exe</code> to launch malicious DLLs.(Citation: Cybereason Valak May 2020)(Cit... |
| S1030 | Squirrelwaffle | Malware | [Squirrelwaffle](https://attack.mitre.org/software/S1030) has been executed using `regsvr32.exe`.(Citation: ZScaler Squirrelwaffle Sep 2021) |
| S1047 | Mori | Malware | [Mori](https://attack.mitre.org/software/S1047) can use `regsvr32.exe` for DLL execution.(Citation: DHS CISA AA22-055A MuddyWater February 2022) |
| S1155 | Covenant | Tool | [Covenant](https://attack.mitre.org/software/S1155) can create SCT files for installation via `Regsvr32` to deploy new Grunt listeners.(Citation: Gith... |
| S0373 | Astaroth | Malware | [Astaroth](https://attack.mitre.org/software/S0373) can be loaded through regsvr32.exe.(Citation: Cybereason Astaroth Feb 2019) |
| S0384 | Dridex | Malware | [Dridex](https://attack.mitre.org/software/S0384) can use `regsvr32.exe` to initiate malicious code.(Citation: Red Canary Dridex Threat Report 2021) |
| S1130 | Raspberry Robin | Malware | [Raspberry Robin](https://attack.mitre.org/software/S1130) uses regsvr32.exe execution without any command line parameters for command and control req... |
| S0021 | Derusbi | Malware | [Derusbi](https://attack.mitre.org/software/S0021) variants have been seen that use Registry persistence to proxy execution through regsvr32.exe.(Cita... |
| S0270 | RogueRobin | Malware | [RogueRobin](https://attack.mitre.org/software/S0270) uses regsvr32.exe to run a .sct file for execution.(Citation: Unit42 DarkHydrus Jan 2019) |
| S1239 | TONESHELL | Malware | [TONESHELL](https://attack.mitre.org/software/S1239) has used regsvr32.exe to execute the windows `DLLRegisterServer` function.(Citation: Trend Micro ... |
| S0481 | Ragnar Locker | Malware | [Ragnar Locker](https://attack.mitre.org/software/S0481) has used regsvr32.exe to execute components of VirtualBox.(Citation: Sophos Ragnar May 2020) |
| S0698 | HermeticWizard | Malware | [HermeticWizard](https://attack.mitre.org/software/S0698) has used `regsvr32.exe /s /i` to execute malicious payloads.(Citation: ESET Hermetic Wizard ... |
| S0554 | Egregor | Malware | [Egregor](https://attack.mitre.org/software/S0554) has used regsvr32.exe to execute malicious DLLs.(Citation: JoeSecurity Egregor 2020) |
| S0284 | More_eggs | Malware | [More_eggs](https://attack.mitre.org/software/S0284) has used regsvr32.exe to execute the malicious DLL.(Citation: Security Intelligence More Eggs Aug... |
| S0568 | EVILNUM | Malware | [EVILNUM](https://attack.mitre.org/software/S0568) can run a remote scriptlet that drops a file and executes it via regsvr32.exe.(Citation: ESET EvilN... |
References
- Anubhav, A., Kizhakkinan, D. (2017, February 22). Spear Phishing Techniques Used in Attacks Targeting the Mongolian Government. Retrieved February 24, 2017.
- LOLBAS. (n.d.). Regsvr32.exe. Retrieved July 31, 2019.
- Microsoft. (2015, August 14). How to use the Regsvr32 tool and troubleshoot Regsvr32 error messages. Retrieved June 22, 2016.
- Nolen, R. et al.. (2016, April 28). Threat Advisory: “Squiblydoo” Continues Trend of Attackers Using Native OS Tools to “Live off the Land”. Retrieved April 9, 2018.
Frequently Asked Questions
What is T1218.010 (Regsvr32)?
T1218.010 is a MITRE ATT&CK technique named 'Regsvr32'. It belongs to the Stealth tactic(s). Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic...
How can T1218.010 be detected?
Detection of T1218.010 (Regsvr32) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1218.010?
There are 1 documented mitigations for T1218.010. Key mitigations include: Exploit Protection.
Which threat groups use T1218.010?
Known threat groups using T1218.010 include: TA551, Deep Panda, Cobalt Group, Storm-0501, Blue Mockingbird, Leviathan, Kimsuky, Inception.