← Back to Explore
sigmamediumHunting
Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension
Detects potentially suspicious execution of the Regasm/Regsvcs utilities with an uncommon extension.
Detection Query
selection_img:
- Image|endswith:
- \Regsvcs.exe
- \Regasm.exe
- OriginalFileName:
- RegSvcs.exe
- RegAsm.exe
selection_extension:
CommandLine|contains:
- .dat
- .gif
- .jpeg
- .jpg
- .png
- .txt
condition: all of selection_*
Author
Nasreddine Bencherchali (Nextron Systems)
Created
2023-02-13
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.defense-evasionattack.t1218.009
Raw Content
title: Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension
id: e9f8f8cc-07cc-4e81-b724-f387db9175e4
related:
- id: cc368ed0-2411-45dc-a222-510ace303cb2
type: derived
status: test
description: Detects potentially suspicious execution of the Regasm/Regsvcs utilities with an uncommon extension.
references:
- https://www.fortiguard.com/threat-signal-report/4718?s=09
- https://lolbas-project.github.io/lolbas/Binaries/Regasm/
- https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-13
tags:
- attack.defense-evasion
- attack.t1218.009
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\Regsvcs.exe'
- '\Regasm.exe'
- OriginalFileName:
- 'RegSvcs.exe'
- 'RegAsm.exe'
selection_extension:
CommandLine|contains:
# Note: Add more potentially uncommon extensions
- '.dat'
- '.gif'
- '.jpeg'
- '.jpg'
- '.png'
- '.txt'
condition: all of selection_*
falsepositives:
- Unknown
level: medium