Detect when Regsvr32.exe is created as subprocess by an Office Application
Regsvr32started By Office Application
Query
let OfficeApplications = dynamic(['winword.exe', 'powerpnt.exe', 'excel.exe']);
DeviceProcessEvents
| where FileName == "regsvr32.exe"
| where InitiatingProcessFileName has_any (OfficeApplications)
| project
TimeGenerated,
DeviceName,
AccountName,
AccountDomain,
ProcessCommandLine,
InitiatingProcessCommandLine,
InitiatingProcessFileNameAbout this query
Detect when Regsvr32.exe is created as subprocess by an Office Application
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|---|---|
| T1218.010 | System Binary Proxy Execution: Regsvr32 | Access https://attack.mitre.org/techniques/T1218/010/ |
Description
Regsvr32 can be abused to proxy execution of malicious code. It can be spawned from a Office Application to infect the system with malware. The Office applications would not spawn Regsvr32 themselfs.
References
- https://redcanary.com/threat-detection-report/threats/TA551/
- https://threatpost.com/cybercriminals-windows-utility-regsvr32-malware/178333/
Defender XDR
let OfficeApplications = dynamic(['winword.exe', 'powerpnt.exe', 'excel.exe']);
DeviceProcessEvents
| where FileName == "regsvr32.exe"
| where InitiatingProcessFileName has_any (OfficeApplications)
| project
Timestamp,
DeviceName,
AccountName,
AccountDomain,
ProcessCommandLine,
InitiatingProcessCommandLine,
InitiatingProcessFileName
Sentinel
Explanation
This query is designed to detect potentially malicious activity where the "regsvr32.exe" process is created as a subprocess by an Office application, such as Word, PowerPoint, or Excel. This behavior is suspicious because "regsvr32.exe" can be used to execute malicious code, and Office applications typically do not spawn this process themselves.
Here's a simple breakdown of the query:
-
Targeted Applications: The query focuses on three Office applications: Word (
winword.exe), PowerPoint (powerpnt.exe), and Excel (excel.exe). -
Process Monitoring: It monitors events where the process "regsvr32.exe" is executed.
-
Initiating Process Check: It specifically looks for instances where "regsvr32.exe" is initiated by any of the specified Office applications.
-
Data Output: The query outputs relevant details such as the timestamp of the event, the device name, the account name and domain, and the command lines of both the "regsvr32.exe" process and the initiating Office application process.
This query is useful for identifying potential security threats where attackers might be using Office applications to indirectly execute malicious code through "regsvr32.exe".
