EXPLORE
Sign In
← Back to Explore
T1218.009

Regsvcs/Regasm

Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) assemblies. Both are binaries that may be digitally signed by Microsoft. (Citation: MSDN Regsvcs) (Citation: MSDN Regasm) Both utilities may be used to bypass application control through use of attributes within the binary to specify...

Windows
17
Detections
3
Sources
0
Threat Actors

BY SOURCE

7elastic6splunk_escu4sigma

PROCEDURES (12)

Child Process3 detections

Auto-extracted: 3 detections for child process

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Remote2 detections

Auto-extracted: 2 detections for remote

Parent Process2 detections

Auto-extracted: 2 detections for parent process

Script Execution Monitoring1 detections

Auto-extracted: 1 detections for script execution monitoring

Bypass1 detections

Auto-extracted: 1 detections for bypass

Inject1 detections

Auto-extracted: 1 detections for inject

Network Connection Monitoring1 detections

Auto-extracted: 1 detections for network connection monitoring

Persist1 detections

Auto-extracted: 1 detections for persist

Inject1 detections

Auto-extracted: 1 detections for inject

Inject1 detections

Auto-extracted: 1 detections for inject

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

DETECTIONS (17)

Delayed Execution via Ping
elasticlow
Detect Regasm Spawning a Process
splunk_escu
Detect Regasm with Network Connection
splunk_escu
Detect Regasm with no Command Line Arguments
splunk_escu
Detect Regsvcs Spawning a Process
splunk_escu
Detect Regsvcs with Network Connection
splunk_escu
Detect Regsvcs with No Command Line Arguments
splunk_escu
Execution from Unusual Directory - Command Line
elasticmedium
Execution of Persistent Suspicious Program
elasticmedium
Network Connection via Registration Utility
elasticlow
Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
sigmamedium
Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension
sigmamedium
RegAsm.EXE Execution Without CommandLine Flags or Files
sigmalow
RegAsm.EXE Initiating Network Connection To Public IP
sigmamedium
Suspicious MS Office Child Process
elasticmedium
Suspicious MS Outlook Child Process
elasticlow
Suspicious PDF Reader Child Process
elasticlow