Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Техника Утилита Regsvr32
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Утилита Regsvr32
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

System Binary Proxy Execution:  Утилита Regsvr32

ID Название
.001 CHM-файл
.002 Панель управления
.003 Установщик профилей диспетчера подключений (CMSTP)
.004 Утилита InstallUtil
.005 Утилита mshta
.007 Утилита msiexec
.008 Утилита odbcconf
.009 Утилиты Regsvcs и Regasm
.010 Утилита Regsvr32
.011 Rundll32
.012 Verclsid
.013 Mavinject
.014 MMC

Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. The Regsvr32.exe binary may also be signed by Microsoft. (Citation: Microsoft Regsvr32) Malicious usage of Regsvr32.exe may avoid triggering security tools that may not monitor execution of, and modules loaded by, the regsvr32.exe process because of allowlists or false positives from Windows using regsvr32.exe for normal operations. Regsvr32.exe can also be used to specifically bypass application control using functionality to load COM scriptlets to execute DLLs under user permissions. Since Regsvr32.exe is network and proxy aware, the scripts can be loaded by passing a uniform resource locator (URL) to file on an external Web server as an argument during invocation. This method makes no changes to the Registry as the COM object is not actually registered, only executed. (Citation: LOLBAS Regsvr32) This variation of the technique is often referred to as a "Squiblydoo" and has been used in campaigns targeting governments. (Citation: Carbon Black Squiblydoo Apr 2016) (Citation: FireEye Regsvr32 Targeting Mongolian Gov) Regsvr32.exe can also be leveraged to register a COM Object used to establish persistence via Component Object Model Hijacking. (Citation: Carbon Black Squiblydoo Apr 2016)

ID: T1218.010
Относится к технике:  T1218
Тактика(-и): Defense Evasion
Платформы: Windows
Требуемые разрешения: Administrator, User
Источники данных: Command: Command Execution, Module: Module Load, Network Traffic: Network Connection Creation, Process: Process Creation
Версия: 2.0
Дата создания: 23 Jan 2020
Последнее изменение: 11 Mar 2022

Примеры процедур
Название Описание
Saint Bot

Saint Bot has used `regsvr32` to execute scripts.(Citation: Malwarebytes Saint Bot April 2021)(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )
QakBot

QakBot can use Regsvr32 to execute malicious DLLs.(Citation: Red Canary Qbot)(Citation: Cyberint Qakbot May 2021)(Citation: ATT QakBot April 2021)
TA551

TA551 has used regsvr32.exe to load malicious DLLs.(Citation: Unit 42 Valak July 2020)
Orz

Some Orz versions have an embedded DLL known as MockDll that uses Process Hollowing and regsvr32 to execute another payload.(Citation: Proofpoint Leviathan Oct 2017)
Koadic

Koadic can use Regsvr32 to execute additional payloads.(Citation: Github Koadic)
Valak

Valak has used regsvr32.exe to launch malicious DLLs.(Citation: Cybereason Valak May 2020)(Citation: Unit 42 Valak July 2020)
Squirrelwaffle

Squirrelwaffle has been executed using `regsvr32.exe`.(Citation: ZScaler Squirrelwaffle Sep 2021)
Mori

Mori can use `regsvr32.exe` for DLL execution.(Citation: DHS CISA AA22-055A MuddyWater February 2022)
Astaroth

Astaroth can be loaded through regsvr32.exe.(Citation: Cybereason Astaroth Feb 2019)
Derusbi

Derusbi variants have been seen that use Registry persistence to proxy execution through regsvr32.exe.(Citation: ThreatGeek Derusbi Converge)
Deep Panda

Deep Panda has used regsvr32.exe to execute a server variant of Derusbi in victim networks.(Citation: RSA Shell Crew)
RogueRobin

RogueRobin uses regsvr32.exe to run a .sct file for execution.(Citation: Unit42 DarkHydrus Jan 2019)
Cobalt Group

Cobalt Group has used regsvr32.exe to execute scripts.(Citation: Talos Cobalt Group July 2018)(Citation: Morphisec Cobalt Gang Oct 2018)(Citation: TrendMicro Cobalt Group Nov 2017)
Ragnar Locker

Ragnar Locker has used regsvr32.exe to execute components of VirtualBox.(Citation: Sophos Ragnar May 2020)
Blue Mockingbird

Blue Mockingbird has executed custom-compiled XMRIG miner DLLs using regsvr32.exe.(Citation: RedCanary Mockingbird May 2020)

HermeticWizard

HermeticWizard has used `regsvr32.exe /s /i` to execute malicious payloads.(Citation: ESET Hermetic Wizard March 2022)
Egregor

Egregor has used regsvr32.exe to execute malicious DLLs.(Citation: JoeSecurity Egregor 2020)

During C0015, the threat actors employed code that used `regsvr32` for execution.(Citation: DFIR Conti Bazar Nov 2021)
Leviathan

Leviathan has used regsvr32 for execution.(Citation: Proofpoint Leviathan Oct 2017)
Kimsuky

Kimsuky has executed malware with regsvr32s.(Citation: KISA Operation Muzabi)
Lazarus Group

Lazarus Group has used rgsvr32 to execute custom malware.(Citation: ESET Lazarus Jun 2020)
Inception

Inception has ensured persistence at system boot by setting the value regsvr32 %path%\ctfmonrn.dll /s.(Citation: Kaspersky Cloud Atlas December 2014)
WIRTE

WIRTE has used `regsvr32.exe` to trigger the execution of a malicious script.(Citation: Lab52 WIRTE Apr 2019)
More_eggs

More_eggs has used regsvr32.exe to execute the malicious DLL.(Citation: Security Intelligence More Eggs Aug 2019)
APT32

APT32 created a Scheduled Task/Job that used regsvr32.exe to execute a COM scriptlet that dynamically downloaded a backdoor and injected it into memory. The group has also used regsvr32 to run their backdoor.(Citation: ESET OceanLotus Mar 2019)(Citation: FireEye APT32 May 2017)(Citation: Cybereason Cobalt Kitty 2017)

EVILNUM

EVILNUM can run a remote scriptlet that drops a file and executes it via regsvr32.exe.(Citation: ESET EvilNum July 2020)

Hi-Zor

Hi-Zor executes using regsvr32.exe called from the Registry Run Keys / Startup Folder persistence mechanism.(Citation: Fidelis INOCNATION)
AppleSeed

AppleSeed can call regsvr32.exe for execution.(Citation: Malwarebytes Kimsuky June 2021)
Xbash

Xbash can use regsvr32 for executing scripts.(Citation: Unit42 Xbash Sept 2018)
APT19

APT19 used Regsvr32 to bypass application control techniques.(Citation: FireEye APT19)

Контрмеры
Контрмера Описание
Exploit Protection

Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.

Обнаружение

Use process monitoring to monitor the execution and arguments of regsvr32.exe. Compare recent invocations of regsvr32.exe with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Command arguments used before and after the regsvr32.exe invocation may also be useful in determining the origin and purpose of the script or DLL being loaded. (Citation: Carbon Black Squiblydoo Apr 2016)

Ссылки

  1. Anubhav, A., Kizhakkinan, D. (2017, February 22). Spear Phishing Techniques Used in Attacks Targeting the Mongolian Government. Retrieved February 24, 2017.
  2. Nolen, R. et al.. (2016, April 28). Threat Advisory: “Squiblydoo” Continues Trend of Attackers Using Native OS Tools to “Live off the Land”. Retrieved April 9, 2018.
  3. LOLBAS. (n.d.). Regsvr32.exe. Retrieved July 31, 2019.
  4. Microsoft. (2015, August 14). How to use the Regsvr32 tool and troubleshoot Regsvr32 error messages. Retrieved June 22, 2016.
  5. Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019.
  6. Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020.
  7. Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.
  8. Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.
  9. NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.
  10. Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
  11. Gorzelany, A., Hall, J., Poggemeyer, L.. (2019, January 7). Windows Defender Application Control. Retrieved July 16, 2019.
  12. Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.
  13. National Security Agency. (2016, May 4). Secure Host Baseline EMET. Retrieved June 22, 2016.
  14. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  15. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
  16. Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.
  17. Magius, J., et al. (2017, July 19). Koadic. Retrieved June 18, 2018.
  18. FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.
  19. SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020.
  20. Joe Security. (n.d.). Analysis Report fasm.dll. Retrieved January 6, 2021.
  21. GReAT. (2014, December 10). Cloud Atlas: RedOctober APT is back in style. Retrieved May 8, 2020.
  22. Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021.
  23. Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021.
  24. Cyberint. (2021, May 25). Qakbot Banking Trojan. Retrieved September 27, 2021.
  25. Rainey, K. (n.d.). Qbot. Retrieved September 27, 2021.
  26. Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020.
  27. Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.
  28. Lee, B., Falcone, R. (2019, January 18). DarkHydrus delivers new Trojan that can use Google Drive for C2 communications. Retrieved April 17, 2019.
  29. KISA. (n.d.). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 7, 2022.
  30. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.
  31. RSA Incident Response. (2014, January). RSA Incident Response Emerging Threat Profile: Shell Crew. Retrieved January 14, 2016.
  32. Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021.
  33. Giagone, R., Bermejo, L., and Yarochkin, F. (2017, November 20). Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit Against Russian Banks. Retrieved March 7, 2019.
  34. Gorelik, M. (2018, October 08). Cobalt Group 2.0. Retrieved November 5, 2018.
  35. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.
  36. Fidelis Cybersecurity. (2015, December 16). Fidelis Threat Advisory #1020: Dissecting the Malware Involved in the INOCNATION Campaign. Retrieved March 24, 2016.
  37. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  38. Ahl, I. (2017, June 06). Privileges and Credentials: Phished at the Request of Counsel. Retrieved May 17, 2018.
  39. Fidelis Threat Research Team. (2016, May 2). Turbo Twist: Two 64-bit Derusbi Strains Converge. Retrieved August 16, 2018.
  40. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
  41. Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022.
  42. Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.
  43. DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.
  44. S2 Grupo. (2019, April 2). WIRTE Group attacking the Middle East. Retrieved May 24, 2019.
  45. Kumar, A., Stone-Gross, Brett. (2021, September 28). Squirrelwaffle: New Loader Delivering Cobalt Strike. Retrieved August 9, 2022.
  46. Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018.
  47. ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.