Skip to content

T1218.009 Regsvcs/Regasm

Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies. Both are binaries that may be digitally signed by Microsoft. 1 2

Both utilities may be used to bypass application control through use of attributes within the binary to specify code that should be run before registration or unregistration: [ComRegisterFunction] or [ComUnregisterFunction] respectively. The code with the registration and unregistration attributes will be executed even if the process is run under insufficient privileges and fails to execute. 34

Item Value
ID T1218.009
Sub-techniques T1218.001, T1218.002, T1218.003, T1218.004, T1218.005, T1218.007, T1218.008, T1218.009, T1218.010, T1218.011, T1218.012, T1218.013, T1218.014
Tactics TA0005
Platforms Windows
Permissions required Administrator, User
Version 2.0
Created 23 January 2020
Last Modified 11 March 2022

Procedure Examples

ID Name Description
S0331 Agent Tesla Agent Tesla has dropped RegAsm.exe onto systems for performing malicious activity.5

Mitigations

ID Mitigation Description
M1042 Disable or Remove Feature or Program Regsvcs and Regasm may not be necessary within a given environment.
M1038 Execution Prevention Block execution of Regsvcs.exe and Regasm.exe if they are not required for a given system or network to prevent potential misuse by adversaries.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0009 Process Process Creation

References