Regsvr32 - veramine/Detections GitHub Wiki
Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe can be used to execute arbitrary binaries. Adversaries may take advantage of this functionality to proxy execution of code to avoid triggering security tools that may not monitor execution of, and modules loaded by, the regsvr32.exe process because of whitelists or false positives from Windows using regsvr32.exe for normal operations. Regsvr32.exe is also a Microsoft signed binary. You can read more about Regsvr32.exe attack techniques at https://attack.mitre.org/wiki/Technique/T1117.
The Veramine detection engine reports instances where Regsvr32.exe exhibits suspicious image load patterns often associated with malicious usage. This detection mechanism is not foolproof as legitimate usage sometimes exhibits similar image load patterns. However, we have found that this detection algorithm flags the majority of malicious regsvr32.exe usage and filters out much of the noise from legitimate regsvr32.exe executions. Here's an example detection:
With one click of the process detail link, we can see that this particular instance of regsvr32.exe also launched a child process, unusual behavior diverging from its norm. However, the legitimate use of regsvr32.exe by a wide variety of different types of software can make detecting malicious use of regsvr32.exe more difficult. For example, in this simple demo environment, a search in the detections interface for "regsvr" shows several different detections that look suspicious, in addition to the x86.dll indicator highlighted above:
We can click the button to reveal instances of the "Icon Overlay" detection bucket and we see what appears to be regsvr32 establishing a persistence mechanism:
We can click on the process details link of that process to get more details:
We see clues that this regsvr32.exe instances is related to likely-legitimate usage of the Dropbox client. If we click the parent process, we can see the full process tree with regsvr32.exe used (legitimately) later in the sequence of processes:
The Veramine detection engine here highlighted several different possibly interesting instances of regsvr32.exe establishing a persistence mechanism. A few seconds of investigation revealed that this was just the signed, authorized DropboxUpdate.exe process running as a service and installing an icon overlay to enable the distinctive Dropbox icon user experience:
