RegSvr32 Scriptlet Execution¶

Detect regsvr32 loading a script object (scrobj).

id:	82200c71-f3c3-4b6c-aead-9cafeab602f5
categories:	detect
confidence:	medium
os:	windows
created:	11/30/2018
updated:	11/30/2018

MITRE ATT&CK™ Mapping¶

tactics:	Execution
techniques:	T1117 Regsvr32

Query¶

process where subtype.create and
  process_name == "regsvr32.exe" and
  wildcard(command_line, "*scrobj*", "*/i:*", "*-i:*", "*.sct*")

Detonation¶

Atomic Red Team: T1117

Contributors¶

Endgame

Read the Docs v: latest

Versions: latest

Downloads: pdf; html; epub

On Read the Docs: Project Home; Builds

Free document hosting provided by Read the Docs.