Execution via Regsvcs/Regasm
Warning
This rule has been deprecated as of 2021/03/17.
RegSvcs.exe and RegAsm.exe are Windows command line utilities that are used to register .NET Component Object Model (COM) assemblies. Adversaries can use RegSvcs.exe and RegAsm.exe to proxy execution of code through a trusted Windows utility.
Rule type: query
Rule indices:
- winlogbeat-*
- logs-endpoint.events.*
- logs-windows.*
Rule Severity: low
Risk Score: 21
Runs every:
Searches indices from: now-9m
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Execution
Version: 100
Rule authors:
- Elastic
Rule license: Elastic License v2
event.category:process and event.type:(start or process_started) and process.name:(RegAsm.exe or RegSvcs.exe)
Framework: MITRE ATT&CK
- Tactic:
- Name: Execution
- Id: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
Framework: MITRE ATT&CK
Tactic:
- Name: Defense Evasion
- Id: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
Technique:
- Name: Signed Binary Proxy Execution
- Id: T1218
- Reference URL: https://attack.mitre.org/techniques/T1218/
Sub Technique:
- Name: Regsvcs/Regasm
- Id: T1218.009
- Reference URL: https://attack.mitre.org/techniques/T1218/009/