detection.wiki

ATT&CK coverage › Technique

System Binary Proxy Execution: Regsvr32 T1218.010

Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. The Regsvr32.exe binary may also be signed by Microsoft.

Events covered

9 catalog events are tagged with this technique by at least one rule.

ProviderEvent IDTitle
Sysmon1Process creation
Sysmon3Network connection
Sysmon7Image loaded
Sysmon12RegistryEvent (Object create and delete)
Sysmon13RegistryEvent (Value Set)
Sysmon22DNSEvent (DNS query)
Security-Auditing4688A new process has been created.
Defender-DeviceImageLoadEvents9006000Image load (any)
Defender-DeviceProcessEvents9001000Process activity (any)

Authoring guide

Patterns shared across the 20 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (11 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
Image17ends_with 17, match 1, eq 1, starts_with 1\regsvr32.exe, \rundll32.exe, \MSHTA.EXE, \wmic.exe, \nltest.exe
CommandLine12match 10, ends_with 2, is_null 1, eq 1\AppData\Local\Temp\, -i:, -n , -u -p , /i:http://9
OriginalFileName9eq 9REGSVR32.EXE, wmic.exe, HH.exe, WorkFolders.exe, PowerShell.EXE
ParentImage6ends_with 6, eq 1\EXCEL.EXE, \MSACCESS.EXE, \MSPUB.exe, \hh.exe, \regsvr32.exe
InitiatingProcessFileName2match 2rundll32.exe, regsvr32.exe, pwsh.exe, wscript.exe, powershell.exe
FileName1match 1rundll32.exe, regsvr32.exe
Initiated1eq 1true
Signed1eq 1, is_null 1-, true
SignatureStatus1is_null 1, eq 1errorExpired, Valid, -
ImageLoaded1starts_with 1, ends_with 1.tmp-\Avira.OE.Setup.CustomActions.dll, C:\Windows\Installer\, C:\Windows\assembly\NativeImages
registry_path1eq 1"*\\CLSID\\{89565275-A714-4a43-912E-978B935EDCCC}\\InProc...

Top indicator values (265 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.

FieldKindValueRules (here)Corpus reach
Imageends_with\regsvr32.exe1457
OriginalFileNameeqREGSVR32.EXE510
Imageends_with\cscript.exe464
Imageends_with\wscript.exe464
Imageends_with\rundll32.exe476
Imageends_with\msiexec.exe321
Imageends_with\cmd.exe392
Imageends_with\pwsh.exe3140
Imageends_with\powershell.exe3143
Imageends_with\schtasks.exe345
Imageends_with\mshta.exe357
Imageends_with\installutil.exe25
Imageends_with\wmic.exe237
CommandLinematch:\Temp\214
CommandLinematch\AppData\Local\Temp\216
Imageends_with\hh.exe214
OriginalFileNameeqHH.exe25
Imageends_with\verclsid.exe24
ParentImageends_with\wordview.exe22
ParentImageends_with\WINWORD.EXE23

Common exclusions (1 distinct)

Field/operator/value combinations that rules under this technique routinely exclude (top-level not() clauses). These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths.

FieldKindValueRules excluding
FileNameends_with.dll1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 17 rules

Splunk 1 rule

Kusto Query Language 2 rules