Regsvr32 (T1117)

View on ATT&CK

In Playbook

Technique & Subtechniques

  • Regsvr32

Associated Tactics

  • Defense Evasion
  • Execution

Defense Evasion (TA0005)

The adversary is trying to avoid being detected. Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.

View on ATT&CK

Procedure Examples

Description Source(s)
Microsoft. (2015, August 14). How to use the Regsvr32 tool and troubleshoot Regsvr32 error messages. Retrieved June 22, 2016. Microsoft Regsvr32
LOLBAS. (n.d.). Regsvr32.exe. Retrieved July 31, 2019. LOLBAS Regsvr32
Nolen, R. et al.. (2016, April 28). Threat Advisory: “Squiblydoo” Continues Trend of Attackers Using Native OS Tools to “Live off the Land”. Retrieved April 9, 2018. Carbon Black Squiblydoo Apr 2016
Anubhav, A., Kizhakkinan, D. (2017, February 22). Spear Phishing Techniques Used in Attacks Targeting the Mongolian Government. Retrieved February 24, 2017. FireEye Regsvr32 Targeting Mongolian Gov