title: Regsvcs/Regasm (T1218.009)
id: df00tech-t1218-009
status: experimental
description: "Adversaries may abuse Regsvcs and Regasm to proxy execution of code through trusted Windows utilities. Regsvcs and Regasm are Windows command-line utilities used to register .NET Component Object Model (COM) assemblies. Both are digitally signed by Microsoft. These utilities can bypass application control through use of attributes within the binary to specify code that should run before registration or unregistration: [ComRegisterFunction] or [ComUnregisterFunction] respectively. Critically, the code decorated with these attributes executes even if the process runs with insufficient privileges and fails. Agent Tesla is a notable malware family that uses Regasm.exe for proxy execution."
references:
  - https://attack.mitre.org/techniques/T1218/009/
  - https://df00tech.com/detections/T1218.009
author: df00tech
date: 2026/04/13
tags:
  - attack.t1218.009
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate .NET software that registers COM interop assemblies via Regasm.exe during installation (common with Office interop assemblies)
  - Software development activities where developers register and unregister .NET COM assemblies for testing
  - Enterprise applications with .NET-based COM components registered during software deployment
  - Windows SDK tools and Visual Studio that use Regasm.exe for .NET COM registration during build processes
level: high