Detect Regsvcs/Regasm in Elastic Security
Adversaries may abuse Regsvcs and Regasm to proxy execution of code through trusted Windows utilities. Regsvcs and Regasm are Windows command-line utilities used to register .NET Component Object Model (COM) assemblies. Both are digitally signed by Microsoft. These utilities can bypass application control through use of attributes within the binary to specify code that should run before registration or unregistration: [ComRegisterFunction] or [ComUnregisterFunction] respectively. Critically, the code decorated with these attributes executes even if the process runs with insufficient privileges and fails. Agent Tesla is a notable malware family that uses Regasm.exe for proxy execution.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1218 System Binary Proxy Execution
- Sub-technique
- T1218.009 Regsvcs/Regasm
- Canonical reference
- https://attack.mitre.org/techniques/T1218/009/
Elastic Detection Query
sequence by host.id with maxspan=5m
[process where event.type == "start" and
(process.name : ("regsvcs.exe", "regasm.exe") or process.parent.name : ("regsvcs.exe", "regasm.exe")) and
(
process.args : ("*Temp*", "*AppData*", "*Downloads*", "*Public*", "*Desktop*", "*ProgramData*") or
process.args : ("/u", "/unregister", "/silent", "/s") or
process.args : ("http://*", "https://*", "\\\\*") or
process.parent.name : ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "winword.exe", "excel.exe") or
process.name : ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "net.exe", "rundll32.exe")
)
]
any where
(
(process where event.type == "start" and process.name : ("regsvcs.exe", "regasm.exe")) or
(process where event.type == "start" and process.parent.name : ("regsvcs.exe", "regasm.exe") and process.name : ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "net.exe", "rundll32.exe"))
)Detects abuse of regsvcs.exe or regasm.exe for proxy code execution (T1218.009). Looks for suspicious parent processes, suspicious file paths in arguments, unregister/silent flags, remote paths, and suspicious child processes spawned by regsvcs/regasm.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate .NET COM assembly registration by developers or IT admins during software deployment, particularly from standard install paths like C:\Program Files
- Software installers that invoke regasm.exe or regsvcs.exe as part of a signed setup chain with SYSTEM or elevated user context
- Automated build pipelines or CI/CD agents registering COM components from temp build directories
Other platforms for T1218.009
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Regasm Execution from Temp Directory
Expected signal: Sysmon Event ID 1: regasm.exe with /s flag and Temp path. Security Event ID 4688. Sysmon Event ID 7 for the DLL being loaded.
- Test 2Regasm with Unregister Flag
Expected signal: Sysmon Event ID 1: regasm.exe with /u and /s flags, Temp path. Security Event ID 4688. The process will fail if the file does not exist but the process creation event fires.
- Test 3Regsvcs Launched from PowerShell
Expected signal: Sysmon Event ID 1: powershell.exe then regsvcs.exe with ParentImage=powershell.exe. SuspiciousParent and SuspiciousPath both fire. Security Event ID 4688.
References (7)
- https://attack.mitre.org/techniques/T1218/009/
- https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/
- https://lolbas-project.github.io/lolbas/Binaries/Regasm/
- https://msdn.microsoft.com/en-us/library/04za0hca.aspx
- https://msdn.microsoft.com/en-us/library/tzat5yw6.aspx
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md
- https://www.sentinelone.com/labs/agent-tesla-old-rat-uses-new-tricks-to-stay-on-top/
Unlock Pro Content
Get the full detection package for T1218.009 including response playbook, investigation guide, and atomic red team tests.