Query Details

Detect when Regsvr32.exe is created as subprocess by an Office Application

Regsvr32started By Office Application

Query

let OfficeApplications = dynamic(['winword.exe', 'powerpnt.exe', 'excel.exe']);
DeviceProcessEvents
| where FileName == "regsvr32.exe"
| where InitiatingProcessFileName has_any (OfficeApplications)
| project
     TimeGenerated,
     DeviceName,
     AccountName,
     AccountDomain,
     ProcessCommandLine,
     InitiatingProcessCommandLine,
     InitiatingProcessFileName

About this query

Detect when Regsvr32.exe is created as subprocess by an Office Application

Query Information

MITRE ATT&CK Technique(s)

Technique IDTitleLink
T1218.010System Binary Proxy Execution: Regsvr32Access https://attack.mitre.org/techniques/T1218/010/

Description

Regsvr32 can be abused to proxy execution of malicious code. It can be spawned from a Office Application to infect the system with malware. The Office applications would not spawn Regsvr32 themselfs.

References

Defender XDR

let OfficeApplications = dynamic(['winword.exe', 'powerpnt.exe', 'excel.exe']);
DeviceProcessEvents
| where FileName == "regsvr32.exe"
| where InitiatingProcessFileName has_any (OfficeApplications)
| project
     Timestamp,
     DeviceName,
     AccountName,
     AccountDomain,
     ProcessCommandLine,
     InitiatingProcessCommandLine,
     InitiatingProcessFileName

Sentinel

Explanation

This query is designed to detect potentially malicious activity where the "regsvr32.exe" process is created as a subprocess by an Office application, such as Word, PowerPoint, or Excel. This behavior is suspicious because "regsvr32.exe" can be used to execute malicious code, and Office applications typically do not spawn this process themselves.

Here's a simple breakdown of the query:

  1. Targeted Applications: The query focuses on three Office applications: Word (winword.exe), PowerPoint (powerpnt.exe), and Excel (excel.exe).

  2. Process Monitoring: It monitors events where the process "regsvr32.exe" is executed.

  3. Initiating Process Check: It specifically looks for instances where "regsvr32.exe" is initiated by any of the specified Office applications.

  4. Data Output: The query outputs relevant details such as the timestamp of the event, the device name, the account name and domain, and the command lines of both the "regsvr32.exe" process and the initiating Office application process.

This query is useful for identifying potential security threats where attackers might be using Office applications to indirectly execute malicious code through "regsvr32.exe".

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

DeviceProcessEvents

Keywords

DeviceProcessEventsFileNameInitiatingTimestampAccountDomainCommandLine

Operators

letdynamicwherehas_anyproject

MITRE Techniques

Actions

GitHub