T1218.009 Sumo Logic CSE · Sumo

Detect Regsvcs/Regasm in Sumo Logic CSE

Adversaries may abuse Regsvcs and Regasm to proxy execution of code through trusted Windows utilities. Regsvcs and Regasm are Windows command-line utilities used to register .NET Component Object Model (COM) assemblies. Both are digitally signed by Microsoft. These utilities can bypass application control through use of attributes within the binary to specify code that should run before registration or unregistration: [ComRegisterFunction] or [ComUnregisterFunction] respectively. Critically, the code decorated with these attributes executes even if the process runs with insufficient privileges and fails. Agent Tesla is a notable malware family that uses Regasm.exe for proxy execution.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1218 System Binary Proxy Execution
Sub-technique
T1218.009 Regsvcs/Regasm
Canonical reference
https://attack.mitre.org/techniques/T1218/009/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=windows/sysmon OR _sourceCategory=windows/security
| parse "<EventID>*</EventID>" as EventID nodrop
| parse "<Image>*</Image>" as ProcessImage nodrop
| parse "<CommandLine>*</CommandLine>" as CommandLine nodrop
| parse "<ParentImage>*</ParentImage>" as ParentImage nodrop
| parse "<ParentCommandLine>*</ParentCommandLine>" as ParentCommandLine nodrop
| parse "<User>*</User>" as User nodrop
| parse "<Computer>*</Computer>" as Computer nodrop
| where EventID = "1"
| where (
    (ProcessImage matches "*regsvcs.exe" or ProcessImage matches "*regasm.exe")
    or (ParentImage matches "*regsvcs.exe" or ParentImage matches "*regasm.exe")
  )
| eval SuspiciousPath = if(ProcessImage matches "*regsvcs.exe" or ProcessImage matches "*regasm.exe",
    if(CommandLine matches "*(Temp|AppData|Downloads|Public|Desktop|ProgramData)*", 1, 0), 0)
| eval UnregisterFlag = if(ProcessImage matches "*regsvcs.exe" or ProcessImage matches "*regasm.exe",
    if(CommandLine matches "*(/u|/unregister)*" or CommandLine matches "*(/silent|/s)*", 1, 0), 0)
| eval SuspiciousParent = if(ParentImage matches "*(cmd|powershell|wscript|cscript|mshta|winword|excel).exe*", 1, 0)
| eval SuspiciousChild = if(
    (ParentImage matches "*regsvcs.exe" or ParentImage matches "*regasm.exe") and
    (ProcessImage matches "*(cmd|powershell|wscript|cscript|net|rundll32).exe*"), 1, 0)
| eval RemotePath = if(CommandLine matches "*(http://|https://|\\\\)*", 1, 0)
| eval RiskScore = SuspiciousPath + UnregisterFlag + SuspiciousParent + SuspiciousChild + RemotePath
| where RiskScore > 0
| fields _messagetime, Computer, User, ProcessImage, CommandLine, ParentImage, ParentCommandLine,
    SuspiciousPath, UnregisterFlag, SuspiciousParent, SuspiciousChild, RemotePath, RiskScore
| sort by RiskScore desc, _messagetime desc
high severity high confidence

Sumo Logic query detecting Regsvcs/Regasm proxy execution abuse via Sysmon EventID 1 (Process Create). Parses XML event fields, scores suspicious indicators including path anomalies, suspicious parents, unregister flags, remote paths, and suspicious child processes.

Data Sources

Sysmon via Sumo Logic Windows collectorWindows Security Event Log collector

Required Tables

_sourceCategory=windows/sysmon_sourceCategory=windows/security

False Positives & Tuning

  • IT automation tools such as Ansible or Chef running regasm.exe from temp directories as part of Windows role configuration playbooks
  • Software vendors bundling COM registration in silent installers that launch regsvcs.exe with /s flag from ProgramData staging areas
  • Security scanning or vulnerability assessment tools that enumerate COM components by spawning regsvcs.exe from scripting engine parents
Download portable Sigma rule (.yml)

Other platforms for T1218.009

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Regasm Execution from Temp Directory

    Expected signal: Sysmon Event ID 1: regasm.exe with /s flag and Temp path. Security Event ID 4688. Sysmon Event ID 7 for the DLL being loaded.

  2. Test 2Regasm with Unregister Flag

    Expected signal: Sysmon Event ID 1: regasm.exe with /u and /s flags, Temp path. Security Event ID 4688. The process will fail if the file does not exist but the process creation event fires.

  3. Test 3Regsvcs Launched from PowerShell

    Expected signal: Sysmon Event ID 1: powershell.exe then regsvcs.exe with ParentImage=powershell.exe. SuspiciousParent and SuspiciousPath both fire. Security Event ID 4688.

Last updated: 2026-04-13 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1218.009 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1218System Binary Proxy Execution

Related Sub-techniques

T1218.001Compiled HTML FileT1218.002Control PanelT1218.003CMSTPT1218.004InstallUtilT1218.005MshtaT1218.007MsiexecT1218.008OdbcconfT1218.010Regsvr32T1218.011Rundll32T1218.012VerclsidT1218.013MavinjectT1218.014MMCT1218.015Electron Applications

Related Techniques

T1218System Binary Proxy ExecutionT1218.004InstallUtilT1559.001Component Object ModelT1546.015Component Object Model HijackingT1059.001PowerShellT1027Obfuscated Files or Information

Same Tactic: Defense Evasion

Popular Detections