| Item |
Value |
| ID |
DET0361 |
| Version |
1.0 |
| Created |
21 October 2025 |
| Last Modified |
21 October 2025 |
Technique Detected: T1218.009 (Regsvcs/Regasm)
Analytics
Windows
AN1028
Abuse of Regsvcs.exe or Regasm.exe to execute arbitrary code embedded in .NET assemblies via [ComRegisterFunction]/[ComUnregisterFunction]. Behavioral chain: (1) Process creation of regsvcs/regasm with suspicious assembly paths/flags → (2) Assembly/DLL load inside regsvcs/regasm → (3) Registry writes to HKCR\CLSID/ProgID during COM registration → (4) Optional child process or network activity spawned by installer/registration code.
Log Sources
Mutable Elements
| Field |
Description |
| AssemblyPathRegex |
Environment-specific paths to flag (e.g., %TEMP%, Downloads, OneDrive, SMB shares). Helps suppress known-good installers. |
| SuspiciousFlags |
Arguments like /unregister (/u), /codebase, /regfile which may indicate abuse. Tune per enterprise use of regasm/regsvcs. |
| ParentProcessAllowList |
Legitimate parents (e.g., setup.exe, msiexec.exe). Analyst can prune false positives from Office or script hosts. |
| KnownGoodAssemblies |
Hashes or publisher info for approved assemblies commonly registered in the environment. |
| RegistryKeyAllowList |
Approved CLSIDs/ProgIDs written during sanctioned software installs. |
| TimeWindow |
Correlation window (e.g., 5–10 min) between file drop → regasm/regsvcs exec → registry writes → child activity. |
| SignedToUnsignedTransition |
Alert if Microsoft-signed regasm/regsvcs loads or triggers unsigned assemblies/children. |