Home/ MITRE Matrix/ Defense Evasion/ T1218.010

T1218.010Regsvr32

T1218.010 — Regsvr32 is a MITRE ATT&CK technique in the Defense Evasion tactic. Clankerusecase tracks 10 detection use cases covering it and 2 threat-intel articles citing it.

Defense Evasion

View on the matrix → Filter Detection Library MITRE official spec ↗

10Use cases

2Articles

0Sub-techniques

1Tactic

↑ Parent technique: T1218 · System Binary Proxy Execution

Use cases covering this technique (10)

Detect Regsvr32 Application Control Bypass ESCU actions · alerting P Malicious InProcServer32 Modification ESCU actions · alerting P Regsvr32 Silent and Install Param Dll Loading ESCU actions · hunting P Regsvr32 with Known Silent Switch Cmdline ESCU actions · hunting P Suspicious Regsvr32 Register Suspicious Path ESCU actions · alerting P Windows IOBit Unlocker Extension DLL Registration via Regsvr32 ESCU actions · alerting P Windows Regsvr32 Renamed Binary ESCU actions · alerting P [LLM] Kimsuky HelloDoor 'tdll' Run-key persistence with regsvr32 loader Bespoke install · alerting DSΣPDD [LLM] Kimsuky JSE dropper: wscript -> powershell hidden + certutil -decode chain Bespoke delivery · alerting DSΣPDD [LLM] IoliteLabs Stage-2 regsvr32 LOLbin loading ntuser DLL from fake Chrome\ChromeUpdate path Bespoke install · alerting DSΣPDD

Articles citing this technique (2)

crit Kimsuky targets organizations with PebbleDash-based tools art-308

high Malicious IoliteLabs VSCode Extensions Target Solidity Developers on Windows, macOS, and Linux with Backdoor art-412