Detect Regsvr32 Application Control Bypass

Detect Regsvr32 Application Control Bypass


Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.This variation of the technique is often referred to as a "Squiblydoo" attack. \ Upon investigating, look for network connections to remote destinations (internal or external). Be cautious to modify the query to look for "scrobj.dll", the ".dll" is not required to load scrobj. "scrobj.dll" will be loaded by "regsvr32.exe" upon execution.


Detect Regsvr32 Application Control Bypass Help

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the Endpoint datamodel in the Processes node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.


Open in Search