Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension
Detects potentially suspicious execution of the Regasm/Regsvcs utilities with an uncommon extension.
Sigma rule (View on GitHub)
1title: Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension
2id: e9f8f8cc-07cc-4e81-b724-f387db9175e4
3related:
4 - id: cc368ed0-2411-45dc-a222-510ace303cb2
5 type: derived
6status: test
7description: Detects potentially suspicious execution of the Regasm/Regsvcs utilities with an uncommon extension.
8references:
9 - https://www.fortiguard.com/threat-signal-report/4718?s=09
10 - https://lolbas-project.github.io/lolbas/Binaries/Regasm/
11 - https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/
12author: Nasreddine Bencherchali (Nextron Systems)
13date: 2023-02-13
14tags:
15 - attack.defense-evasion
16 - attack.t1218.009
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection_img:
22 - Image|endswith:
23 - '\Regsvcs.exe'
24 - '\Regasm.exe'
25 - OriginalFileName:
26 - 'RegSvcs.exe'
27 - 'RegAsm.exe'
28 selection_extension:
29 CommandLine|contains:
30 # Note: Add more potentially uncommon extensions
31 - '.dat'
32 - '.gif'
33 - '.jpeg'
34 - '.jpg'
35 - '.png'
36 - '.txt'
37 condition: all of selection_*
38falsepositives:
39 - Unknown
40level: medium
References
-
FortiGuard Labs has found an active and widespread attack campaign that distributes a malware it dubs "RedInk", using the RegAsm.exe LOLBIN for exe...
Read More -
Regasm.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More -
Regsvcs.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More
Related rules
- Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
- RegAsm.EXE Initiating Network Connection To Public IP
- AD Object WriteDAC Access
- ADS Zone.Identifier Deleted By Uncommon Application
- AMSI Bypass Pattern Assembly GetType