Execution via Regsvcs/Regasmedit

RegSvcs.exe and RegAsm.exe are Windows command line utilities that are used to register .NET Component Object Model (COM) assemblies. Adversaries can use RegSvcs.exe and RegAsm.exe to proxy execution of code through a trusted Windows utility.

Rule type: query

Rule indices:

  • winlogbeat-*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum signals per execution: 100

Tags:

  • Elastic
  • Windows

Version: 1

Added (Elastic Stack release): 7.7.0

Rule queryedit

process.name:(RegAsm.exe or RegSvcs.exe) and event.action:"Process
Create (rule: ProcessCreate)"

Threat mappingedit

Framework: MITRE ATT&CKTM