RegAsm.EXE Execution Without CommandLine Flags or Files

calendar Jun 11, 2025 · attack.defense-evasion attack.t1218.009  ·
Share on: linkedin copy

Detects the execution of "RegAsm.exe" without a commandline flag or file, which might indicate potential process injection activity. Usually "RegAsm.exe" should point to a dedicated DLL file or call the help with the "/?" flag.

Sigma rule (View on GitHub)

 1title: RegAsm.EXE Execution Without CommandLine Flags or Files
 2id: 651f87f7-12db-47f9-84c5-f27b081b94b6
 3status: experimental
 4description: |
 5    Detects the execution of "RegAsm.exe" without a commandline flag or file, which might indicate potential process injection activity.
 6    Usually "RegAsm.exe" should point to a dedicated DLL file or call the help with the "/?" flag.    
 7references:
 8    - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/agent-teslas-unique-approach-vbs-and-steganography-for-delivery-and-intrusion/
 9    - https://www.zscaler.fr/blogs/security-research/threat-actors-exploit-cve-2017-11882-deliver-agent-tesla
10    - https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool
11    - https://app.any.run/tasks/ea944b89-69d8-49c8-ac1f-5c76ad300db2
12    - https://www.joesandbox.com/analysis/1467354/0/html
13author: frack113
14date: 2025-06-04
15tags:
16    - attack.defense-evasion
17    - attack.t1218.009
18logsource:
19    product: windows
20    category: process_creation
21detection:
22    selection_img:
23        - Image|endswith: '\RegAsm.exe'
24        - OriginalFileName: 'RegAsm.exe'
25    selection_cli:
26        CommandLine|endswith:
27            - 'RegAsm'
28            - 'RegAsm.exe'
29            - 'RegAsm.exe"'
30            - "RegAsm.exe'"
31    condition: all of selection_*
32falsepositives:
33    - Legitimate use of Regasm by developers.
34# Note: You can increase after an initial baseline
35level: low

References

Related rules

to-top