Suspicious Process Injection to RegAsm
Detects potential process injection of RegAsm.exe as indicated by lack of command-line arguments. This was observed in a recent campaign to distribute AsyncRAT and Quasar RAT using malicious OneNot files.
Sigma rule (View on GitHub)
1title: Suspicious Process Injection to RegAsm
2id: c94e87b8-7529-4582-9572-96cd61f7464c
3status: experimental
4description: Detects potential process injection of RegAsm.exe as indicated by lack of command-line arguments. This was observed in a recent campaign to distribute AsyncRAT and Quasar RAT using malicious OneNot files.
5references:
6 - https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool
7 - https://any.run/report/6c1e62385d660ca43e024d461154fbb4805e429cdf7850d19510d7f69533739e/031d98bb-3696-4369-8202-2130e87f93d3
8author: Micah Babinski (@micahbabinski)
9date: 2023/01/29
10tags:
11 - attack.defense_evasion
12 - attack.t1218
13 - attack.t1218.009
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection1:
19 ParentImage|endswith: '\RegAsm.exe'
20 ParentCommandLine|endswith:
21 - 'RegAsm.exe'
22 - 'RegAsm.exe"'
23 selection2:
24 Image|endswith: '\RegAsm.exe'
25 CommandLine|endswith:
26 - 'RegAsm.exe'
27 - 'RegAsm.exe"'
28 condition: selection1 or selection2
29falsepositives:
30 - Unknown
31level: high```
References
-
Use Regasm.exe, the Assembly Registration tool. Read assembly metadata and add the needed entries to the registry, allowing COM clients to create .NET classes.
Read More -
Online sandbox report for ss.ps1, tagged as trojan, rat, quasar, asyncrat, verdict: Malicious activity
Read More
Related rules
- DNS Query From Process with Double File Extension
- Download by Process with Double File Extension
- File Creation by Process with Double File Extension
- Network Connection From Process with Double File Extension
- SyncAppvPublishingServer Execution to Bypass Powershell Restriction