T1218.009 Regsvcs/Regasm Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("regsvcs.exe", "regasm.exe")
| extend SuspiciousPath = ProcessCommandLine has_any ("Temp", "AppData", "Downloads", "Public", "Desktop", "ProgramData")
| extend UnregisterFlag = ProcessCommandLine has_any ("/u", "/unregister")
| extend SilentFlag = ProcessCommandLine has_any ("/silent", "/s")
| extend SuspiciousParent = InitiatingProcessFileName has_any ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "winword.exe", "excel.exe")
| extend RemotePath = ProcessCommandLine has_any ("http://", "https://", "\\\\")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName,
         InitiatingProcessCommandLine, SuspiciousPath, UnregisterFlag, SilentFlag, SuspiciousParent, RemotePath
| sort by Timestamp desc
union (
  DeviceProcessEvents
  | where Timestamp > ago(24h)
  | where InitiatingProcessFileName in~ ("regsvcs.exe", "regasm.exe")
  | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
           InitiatingProcessFileName, InitiatingProcessCommandLine
  | sort by Timestamp desc
)

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Legitimate .NET software that registers COM interop assemblies via Regasm.exe during installation (common with Office interop assemblies)
Software development activities where developers register and unregister .NET COM assemblies for testing
Enterprise applications with .NET-based COM components registered during software deployment
Windows SDK tools and Visual Studio that use Regasm.exe for .NET COM registration during build processes

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(Image="*\\regsvcs.exe" OR Image="*\\regasm.exe" OR ParentImage="*\\regsvcs.exe" OR ParentImage="*\\regasm.exe")
| eval SuspiciousPath=if(match(CommandLine, "(Temp|AppData|Downloads|Public|Desktop|ProgramData)"), 1, 0)
| eval Unregister=if(match(CommandLine, "(/u|/unregister)"), 1, 0)
| eval SilentFlag=if(match(CommandLine, "(/silent|/s)"), 1, 0)
| eval SuspiciousParent=if(match(ParentImage, "(cmd|powershell|wscript|cscript|mshta|winword|excel)\.exe"), 1, 0)
| eval SuspiciousChild=if((ParentImage="*\\regsvcs.exe" OR ParentImage="*\\regasm.exe") AND match(Image, "(cmd|powershell|wscript|cscript|net|rundll32)\.exe"), 1, 0)
| eval RiskScore=SuspiciousPath + Unregister + SuspiciousParent + SuspiciousChild
| where RiskScore > 0 OR SuspiciousChild=1
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, SuspiciousPath, Unregister, SilentFlag, SuspiciousParent, SuspiciousChild, RiskScore
| sort - _time

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate .NET software that registers COM interop assemblies via Regasm.exe during installation
Software development activities where developers register and unregister .NET COM assemblies for testing
Enterprise applications with .NET-based COM components registered during software deployment
Windows SDK tools and Visual Studio that use Regasm.exe for .NET COM registration during build processes

Elastic Security (EQL)

eql

sequence by host.id with maxspan=5m
  [process where event.type == "start" and
   (process.name : ("regsvcs.exe", "regasm.exe") or process.parent.name : ("regsvcs.exe", "regasm.exe")) and
   (
     process.args : ("*Temp*", "*AppData*", "*Downloads*", "*Public*", "*Desktop*", "*ProgramData*") or
     process.args : ("/u", "/unregister", "/silent", "/s") or
     process.args : ("http://*", "https://*", "\\\\*") or
     process.parent.name : ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "winword.exe", "excel.exe") or
     process.name : ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "net.exe", "rundll32.exe")
   )
  ]

any where
  (
    (process where event.type == "start" and process.name : ("regsvcs.exe", "regasm.exe")) or
    (process where event.type == "start" and process.parent.name : ("regsvcs.exe", "regasm.exe") and process.name : ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "net.exe", "rundll32.exe"))
  )

high severity high confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon Elastic Agent (endpoint)

Required Tables

logs-endpoint.events.process-* winlogbeat-*

False Positives

Legitimate .NET COM assembly registration by developers or IT admins during software deployment, particularly from standard install paths like C:\Program Files
Software installers that invoke regasm.exe or regsvcs.exe as part of a signed setup chain with SYSTEM or elevated user context
Automated build pipelines or CI/CD agents registering COM components from temp build directories

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip,
  username,
  "PROCESS_IMAGE" AS ProcessImage,
  "PROCESS_COMMANDLINE" AS CommandLine,
  "PARENT_PROCESS_IMAGE" AS ParentImage,
  "PARENT_PROCESS_COMMANDLINE" AS ParentCommandLine,
  LOGSOURCENAME(logsourceid) AS LogSource,
  CATEGORYNAME(category) AS Category,
  CASE
    WHEN LOWER("PROCESS_IMAGE") LIKE '%regsvcs.exe' OR LOWER("PROCESS_IMAGE") LIKE '%regasm.exe' THEN 1
    ELSE 0
  END +
  CASE
    WHEN LOWER("PROCESS_COMMANDLINE") SIMILAR TO '%(temp|appdata|downloads|public|desktop|programdata)%' THEN 1
    ELSE 0
  END +
  CASE
    WHEN LOWER("PROCESS_COMMANDLINE") SIMILAR TO '%(/u|/unregister|/silent)%' THEN 1
    ELSE 0
  END +
  CASE
    WHEN LOWER("PARENT_PROCESS_IMAGE") SIMILAR TO '%(cmd|powershell|wscript|cscript|mshta|winword|excel)\.exe%' THEN 1
    ELSE 0
  END +
  CASE
    WHEN (LOWER("PARENT_PROCESS_IMAGE") LIKE '%regsvcs.exe' OR LOWER("PARENT_PROCESS_IMAGE") LIKE '%regasm.exe')
         AND LOWER("PROCESS_IMAGE") SIMILAR TO '%(cmd|powershell|wscript|cscript|net|rundll32)\.exe%' THEN 2
    ELSE 0
  END AS RiskScore
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 13, 387)
  AND (
    LOWER("PROCESS_IMAGE") LIKE '%regsvcs.exe'
    OR LOWER("PROCESS_IMAGE") LIKE '%regasm.exe'
    OR LOWER("PARENT_PROCESS_IMAGE") LIKE '%regsvcs.exe'
    OR LOWER("PARENT_PROCESS_IMAGE") LIKE '%regasm.exe'
  )
  AND starttime > (NOW() - 86400000)
HAVING RiskScore > 0
ORDER BY RiskScore DESC, starttime DESC
LIMIT 500

high severity medium confidence

Data Sources

QRadar Sysmon DSM QRadar Windows Security Event Log DSM Microsoft Windows Security Event Log

Required Tables

events

False Positives

Enterprise software deployment tools (SCCM, PDQ Deploy) invoking regasm.exe from staging or temp directories during automated rollout
Developer workstations registering COM interop assemblies via Visual Studio post-build events, which may invoke regasm from AppData or project temp paths
Managed service providers using scripts that call regsvcs.exe with /u to cleanly uninstall .NET services during update procedures

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon OR _sourceCategory=windows/security
| parse "<EventID>*</EventID>" as EventID nodrop
| parse "<Image>*</Image>" as ProcessImage nodrop
| parse "<CommandLine>*</CommandLine>" as CommandLine nodrop
| parse "<ParentImage>*</ParentImage>" as ParentImage nodrop
| parse "<ParentCommandLine>*</ParentCommandLine>" as ParentCommandLine nodrop
| parse "<User>*</User>" as User nodrop
| parse "<Computer>*</Computer>" as Computer nodrop
| where EventID = "1"
| where (
    (ProcessImage matches "*regsvcs.exe" or ProcessImage matches "*regasm.exe")
    or (ParentImage matches "*regsvcs.exe" or ParentImage matches "*regasm.exe")
  )
| eval SuspiciousPath = if(ProcessImage matches "*regsvcs.exe" or ProcessImage matches "*regasm.exe",
    if(CommandLine matches "*(Temp|AppData|Downloads|Public|Desktop|ProgramData)*", 1, 0), 0)
| eval UnregisterFlag = if(ProcessImage matches "*regsvcs.exe" or ProcessImage matches "*regasm.exe",
    if(CommandLine matches "*(/u|/unregister)*" or CommandLine matches "*(/silent|/s)*", 1, 0), 0)
| eval SuspiciousParent = if(ParentImage matches "*(cmd|powershell|wscript|cscript|mshta|winword|excel).exe*", 1, 0)
| eval SuspiciousChild = if(
    (ParentImage matches "*regsvcs.exe" or ParentImage matches "*regasm.exe") and
    (ProcessImage matches "*(cmd|powershell|wscript|cscript|net|rundll32).exe*"), 1, 0)
| eval RemotePath = if(CommandLine matches "*(http://|https://|\\\\)*", 1, 0)
| eval RiskScore = SuspiciousPath + UnregisterFlag + SuspiciousParent + SuspiciousChild + RemotePath
| where RiskScore > 0
| fields _messagetime, Computer, User, ProcessImage, CommandLine, ParentImage, ParentCommandLine,
    SuspiciousPath, UnregisterFlag, SuspiciousParent, SuspiciousChild, RemotePath, RiskScore
| sort by RiskScore desc, _messagetime desc

high severity high confidence

Data Sources

Sysmon via Sumo Logic Windows collector Windows Security Event Log collector

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=windows/security

False Positives

IT automation tools such as Ansible or Chef running regasm.exe from temp directories as part of Windows role configuration playbooks
Software vendors bundling COM registration in silent installers that launch regsvcs.exe with /s flag from ProgramData staging areas
Security scanning or vulnerability assessment tools that enumerate COM components by spawning regsvcs.exe from scripting engine parents

Google Chronicle / SecOps

yaral

rule regsvcs_regasm_proxy_execution {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1218.009 - Regsvcs/Regasm proxy execution abuse. Identifies regsvcs.exe or regasm.exe launched from suspicious parent processes, with suspicious arguments, from non-standard paths, or spawning suspicious child processes."
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1218.009"
    severity = "HIGH"
    confidence = "HIGH"
    rule_version = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.metadata.product_name = "Microsoft-Windows-Sysmon" or $e.metadata.product_name = "Microsoft Defender for Endpoint"
    (
      re.regex($e.target.process.file.full_path, `(?i)(\\regsvcs\.exe|\\regasm\.exe)$`) or
      re.regex($e.principal.process.file.full_path, `(?i)(\\regsvcs\.exe|\\regasm\.exe)$`)
    )
    (
      re.regex($e.target.process.command_line, `(?i)(Temp|AppData|Downloads|Public|Desktop|ProgramData)`) or
      re.regex($e.target.process.command_line, `(?i)(\/u|\/unregister|\/silent|\/s)\b`) or
      re.regex($e.target.process.command_line, `(?i)(http:\/\/|https:\/\/|\\\\\\\\)`) or
      re.regex($e.principal.process.file.full_path, `(?i)(cmd|powershell|wscript|cscript|mshta|winword|excel)\.exe$`) or
      (
        re.regex($e.principal.process.file.full_path, `(?i)(\\regsvcs\.exe|\\regasm\.exe)$`) and
        re.regex($e.target.process.file.full_path, `(?i)(cmd|powershell|wscript|cscript|net|rundll32)\.exe$`)
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle via Sysmon forwarder Chronicle via Microsoft Defender for Endpoint integration Chronicle via Windows Event Log ingestion

Required Tables

UDM Events (PROCESS_LAUNCH)

False Positives

Enterprise endpoint management platforms registering legitimate .NET COM components as part of scheduled software updates from the ProgramData staging path
Development or QA environments where PowerShell-based build scripts invoke regasm.exe to register test COM interop assemblies
Legitimate uninstallation procedures by helpdesk tools that use regsvcs.exe /u to deregister services before cleanup

CrowdStrike LogScale (CQL)

cql

// T1218.009 - Regsvcs/Regasm Proxy Execution Detection
// Detect regsvcs.exe or regasm.exe as process or parent, with suspicious indicators

#event_simpleName = ProcessRollup2
| FileName = /(?i)(regsvcs|regasm)\.exe/ OR ParentBaseFileName = /(?i)(regsvcs|regasm)\.exe/
| eval SuspiciousPath = if(match(field=CommandLine, /(?i)(Temp|AppData|Downloads|Public|Desktop|ProgramData)/), 1, 0)
| eval UnregisterFlag = if(match(field=CommandLine, /(?i)(/u|/unregister|/silent|/s)\b/), 1, 0)
| eval SuspiciousParent = if(match(field=ParentBaseFileName, /(?i)(cmd|powershell|wscript|cscript|mshta|winword|excel)\.exe/), 1, 0)
| eval SuspiciousChild = if(
    match(field=ParentBaseFileName, /(?i)(regsvcs|regasm)\.exe/) AND
    match(field=FileName, /(?i)(cmd|powershell|wscript|cscript|net|rundll32)\.exe/),
    1, 0)
| eval RemotePath = if(match(field=CommandLine, /(?i)(http:\/\/|https:\/\/|\\\\)/), 1, 0)
| eval RiskScore = SuspiciousPath + UnregisterFlag + SuspiciousParent + SuspiciousChild + RemotePath
| where RiskScore > 0 OR SuspiciousChild = 1
| select timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine,
    SuspiciousPath, UnregisterFlag, SuspiciousParent, SuspiciousChild, RemotePath, RiskScore
| sort(field=RiskScore, order=desc)
| sort(field=timestamp, order=desc)
| limit 500

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection Falcon Data Replicator (FDR)

Required Tables

ProcessRollup2

False Positives

Software packaging solutions (e.g., InstallShield, Advanced Installer) that invoke regasm.exe as part of MSI custom actions, potentially from temp extraction paths
Security tools or EDR agents that themselves inspect or register .NET assemblies during their own installation or update cycles
Developers using PowerShell scripts in CI pipelines on developer workstations to register and test COM-visible .NET assemblies before packaging

Regsvcs/Regasm

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections