← Back to Explore
sigmalowHunting
RegAsm.EXE Execution Without CommandLine Flags or Files
Detects the execution of "RegAsm.exe" without a commandline flag or file, which might indicate potential process injection activity. Usually "RegAsm.exe" should point to a dedicated DLL file or call the help with the "/?" flag.
Detection Query
selection_img:
- Image|endswith: \RegAsm.exe
- OriginalFileName: RegAsm.exe
selection_cli:
CommandLine|endswith:
- RegAsm
- RegAsm.exe
- RegAsm.exe"
- RegAsm.exe'
condition: all of selection_*
Author
frack113
Created
2025-06-04
Data Sources
windowsProcess Creation Events
Platforms
windows
References
- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/agent-teslas-unique-approach-vbs-and-steganography-for-delivery-and-intrusion/
- https://www.zscaler.fr/blogs/security-research/threat-actors-exploit-cve-2017-11882-deliver-agent-tesla
- https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool
- https://app.any.run/tasks/ea944b89-69d8-49c8-ac1f-5c76ad300db2
- https://www.joesandbox.com/analysis/1467354/0/html
Tags
attack.defense-evasionattack.t1218.009
Raw Content
title: RegAsm.EXE Execution Without CommandLine Flags or Files
id: 651f87f7-12db-47f9-84c5-f27b081b94b6
status: experimental
description: |
Detects the execution of "RegAsm.exe" without a commandline flag or file, which might indicate potential process injection activity.
Usually "RegAsm.exe" should point to a dedicated DLL file or call the help with the "/?" flag.
references:
- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/agent-teslas-unique-approach-vbs-and-steganography-for-delivery-and-intrusion/
- https://www.zscaler.fr/blogs/security-research/threat-actors-exploit-cve-2017-11882-deliver-agent-tesla
- https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool
- https://app.any.run/tasks/ea944b89-69d8-49c8-ac1f-5c76ad300db2
- https://www.joesandbox.com/analysis/1467354/0/html
author: frack113
date: 2025-06-04
tags:
- attack.defense-evasion
- attack.t1218.009
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\RegAsm.exe'
- OriginalFileName: 'RegAsm.exe'
selection_cli:
CommandLine|endswith:
- 'RegAsm'
- 'RegAsm.exe'
- 'RegAsm.exe"'
- "RegAsm.exe'"
condition: all of selection_*
falsepositives:
- Legitimate use of Regasm by developers.
# Note: You can increase after an initial baseline
level: low