Technique on mitre.org

T1218.009: Regsvcs/Regasm

Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies. Both are binaries that may be digitally signed by Microsoft.

Both utilities may be used to bypass application control through use of attributes within the binary to specify code that should be run before registration or unregistration: [ComRegisterFunction] or [ComUnregisterFunction] respectively. The code with the registration and unregistration attributes will be executed even if the process is run under insufficient privileges and fails to execute.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_defense_evasion: PT-CR-197: RegAsm_Or_RegSvcs_AWL_Bypass: An attempt to bypass application-start restrictions by using regasm.exe (Microsoft Windows assembly registration tool) or regsvcs.exe (Microsoft Windows .NET service installation tool)

Detection

IDDS0017Data source and componentCommand: Command ExecutionDescription

Command arguments used before and after Regsvcs.exe or Regasm.exe invocation may also be useful in determining the origin and purpose of the binary being executed.

IDDS0009Data source and componentProcess: Process CreationDescription

Use process monitoring to monitor the execution and arguments of Regsvcs.exe and Regasm.exe. Compare recent invocations of Regsvcs.exe and Regasm.exe with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity.

Mitigation

IDM1038NameExecution PreventionDescription

Block execution of Regsvcs.exe and Regasm.exe if they are not required for a given system or network to prevent potential misuse by adversaries.

IDM1042NameDisable or Remove Feature or ProgramDescription

Regsvcs and Regasm may not be necessary within a given environment.