← Back to Explore
sigmamediumHunting
Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
Detects potentially suspicious execution of the Regasm/Regsvcs utilities from a potentially suspicious location
Detection Query
selection_img:
- Image|endswith:
- \Regsvcs.exe
- \Regasm.exe
- OriginalFileName:
- RegSvcs.exe
- RegAsm.exe
selection_dir:
CommandLine|contains:
- \AppData\Local\Temp\
- \Microsoft\Windows\Start Menu\Programs\Startup\
- \PerfLogs\
- \Users\Public\
- \Windows\Temp\
condition: all of selection_*
Author
Nasreddine Bencherchali (Nextron Systems)
Created
2022-08-25
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.defense-evasionattack.t1218.009
Raw Content
title: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
id: cc368ed0-2411-45dc-a222-510ace303cb2
related:
- id: e9f8f8cc-07cc-4e81-b724-f387db9175e4
type: derived
status: test
description: Detects potentially suspicious execution of the Regasm/Regsvcs utilities from a potentially suspicious location
references:
- https://www.fortiguard.com/threat-signal-report/4718?s=09
- https://lolbas-project.github.io/lolbas/Binaries/Regasm/
- https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-25
modified: 2023-02-13
tags:
- attack.defense-evasion
- attack.t1218.009
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\Regsvcs.exe'
- '\Regasm.exe'
- OriginalFileName:
- 'RegSvcs.exe'
- 'RegAsm.exe'
selection_dir:
CommandLine|contains:
# Note: Add more potentially suspicious directories
- '\AppData\Local\Temp\'
- '\Microsoft\Windows\Start Menu\Programs\Startup\'
- '\PerfLogs\'
- '\Users\Public\'
- '\Windows\Temp\'
# - '\Desktop\'
# - '\Downloads\'
condition: all of selection_*
falsepositives:
- Unknown
level: medium