RegAsm.EXE Initiating Network Connection To Public IP

 1title: RegAsm.EXE Initiating Network Connection To Public IP
 2id: 0531e43a-d77d-47c2-b89f-5fe50321c805
 3status: experimental
 4description: Detects "RegAsm.exe" initiating a network connection to public IP adresses
 5references:
 6    - https://app.any.run/tasks/ec207948-4916-47eb-a0f4-4c6abb2e7668/
 7    - https://research.splunk.com/endpoint/07921114-6db4-4e2e-ae58-3ea8a52ae93f/
 8    - https://lolbas-project.github.io/lolbas/Binaries/Regasm/
 9author: frack113
10date: 2024-04-25
11tags:
12    - attack.defense-evasion
13    - attack.t1218.009
14logsource:
15    category: network_connection
16    product: windows
17detection:
18    selection:
19        Initiated: 'true'
20        Image|endswith: '\regasm.exe'
21    filter_main_local_ranges:
22        DestinationIp|cidr:
23            - '127.0.0.0/8'
24            - '10.0.0.0/8'
25            - '172.16.0.0/12'
26            - '192.168.0.0/16'
27            - '169.254.0.0/16'
28            - '::1/128'  # IPv6 loopback
29            - 'fe80::/10'  # IPv6 link-local addresses
30            - 'fc00::/7'  # IPv6 private addresses
31    condition: selection and not 1 of filter_main_*
32falsepositives:
33    - Unknown
34level: medium

References

• Analysis 2dcedda2d433140e29c0e0efa141df17c0398b820922c7e39f4ab503ef1f1855.exe (MD5: A6A52958BEC5F9BCA6D3DD49072B481B) Malicious activity - Interactive analysis ANY.RUN

  

  Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

  
  Read More

• Detection: Detect Regasm with Network Connection

  Updated Date: 2024-08-14 ID: 07921114-6db4-4e2e-ae58-3ea8a52ae93f Author: Michael Haag, Splunk Type: TTP Product: Splunk Enterprise Security Description The following analytic detects the execution of regasm.exe establishing a network connection to a public IP address, excluding private IP ranges. This detection leverages Sysmon EventID 3 logs to identify such behavior. This activity is significant as regasm.exe is a legitimate Microsoft-signed binary that can be exploited to bypass application control mechanisms. If confirmed malicious, this behavior could indicate an adversary's attempt to establish a remote Command and Control (C2) channel, potentially leading to privilege escalation and further malicious actions within the environment.

  
  Read More

• Regasm on LOLBAS

  

  Regasm.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.

  
  Read More

Related rules

• Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
• Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension
• AD Object WriteDAC Access
• ADS Zone.Identifier Deleted By Uncommon Application
• AMSI Bypass Pattern Assembly GetType