Threat analysis: Regsvr32 is the third most popular ATT&CK technique

Trusted by default and not easily disabled, Regsvr32 (T1117) is a favorite technique among adversaries. Both stealthy and practical, it can be used to perform a variety of malicious actions that are difficult to detect or block. All in all, it’s no surprise that we see it so frequently in the environments we monitor.

In fact, regsvr32 is the third most popular adversary technique, according to our 2019 Threat Detection Report. As part of an ongoing blog series, we’re posting an excerpt from the regsvr32 section of that report below. If you missed the prior installments, check out the following:

• spearphishing attachments (T1193)
• connection proxies (T1090)

In the coming weeks, we’ll publish our analysis on Scripting and PowerShell, which are the top two techniques we’ve observed.

Why is T1117 prevalent?

Regsvr32 offers a simple and elegant way for adversaries to execute native code or scripts, either by staging resources locally or by loading them from a remote location. Because the technique leverages a trusted component of the Windows platform that cannot be easily disabled or constrained and detection depends on close inspection of process-level telemetry, this technique remains effective and popular with everyone from purveyors of unwanted software to high-profile actors.

In addition to evading detection by most protection products for well over a year, this technique remains effective due to derivative attack vectors that allow for execution of VBScript and JScript via regsvr32. As a result, these scripts can be used to craft and execute payloads without calling the native wscript.exe and cscript.exe handlers, circumventing detection that relies on these processes and also bypassing Windows Script Host controls.

Prominent examples

Ocean Lotus group

Ocean Lotus is a suspected state-sponsored espionage group known to target private companies, government agencies, journalists, and dissidents, with a particular interest in organizations and individuals with ties to Vietnam. The group typically leverages spearphishing emails that social engineer their targets into enabling macros that create scheduled tasks, ensuring that a pair of backdoors can persist through reboots. One of the scheduled tasks used by Ocean Lotus leverages regsvr32 to bypass Windows application whitelisting controls every 30 minutes, ultimately launching a COM scriptlet that downloads later-stage Meterpreter and Cobalt Strike payloads.

APT19

The espionage group APT19 leveraged regsvr32 in a phishing campaign that targeted a handful of law firms and financial services companies around the world in mid-2017. The adversaries developed a macro that leveraged regsvr32 to launch a Windows script component (SCT) file. The SCT file, in turn, launched what appeared to be a Cobalt Strike payload.

Detection strategies

According to MITRE, there are a number of data sources associated with regsvr32, and having access to these will help security teams detect adversaries using the technique in their environments.

DATA SOURCES:

• Loaded DLLs
• Process monitoring
• Process command-line parameters
• Windows Registry

ADVERSARY BEHAVIORS:

• File modification in the user’s profile, either during staging of a local resource or as an artifact of remote resource load
• Network connections initiated by regsvr32.exe processes
• Module loads for scrobj.dll, in the event that the resource is a COM Scriptlet

The regsvr32 technique can be executed by loading a local or remote resource that can be either a DLL or COM Scriptlet. Detection of this technique requires observation of module loads and the process command line at a minimum. Other valuable data types include process and binary metadata and network connection metadata correlated to process. These data types are available via commercial EDR tools or native monitoring tools such as Sysmon.

This technique and others like it also require an understanding of T1036 or Masquerading. Adversaries have been known to deliver their own copy of regsvr32.exe, copy the local binary to another location, and rename it prior to runtime to evade fragile detection logic that looks explicitly for standard paths and filenames.

What’s ahead?

Adversaries are almost certain to continue abusing regsvr32 for the foreseeable future. However, considering general trends in operating system hardening, techniques like regsvr32 are bound to become less effective—even if they don’t disappear entirely—in the coming years. In particular, Microsoft is continually adding security mitigations to the Windows operating system, and these are certain to diminish the utility and prevalence of regsvr32 among adversaries.