Execution via Regsvcs/Regasm

edit

RegSvcs.exe and RegAsm.exe are Windows command line utilities that are used to register .NET Component Object Model (COM) assemblies. Adversaries can use RegSvcs.exe and RegAsm.exe to proxy execution of code through a trusted Windows utility.

Rule type: query

Rule indices:

  • winlogbeat-*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum signals per execution: 100

Tags:

  • Elastic
  • Windows

Version: 1

Added (Elastic Stack release): 7.7.0

Rule query

edit
process.name:(RegAsm.exe or RegSvcs.exe) and event.action:"Process
Create (rule: ProcessCreate)"

Threat mapping

edit

Framework: MITRE ATT&CKTM