Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location

 1title: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
 2id: cc368ed0-2411-45dc-a222-510ace303cb2
 3related:
 4    - id: e9f8f8cc-07cc-4e81-b724-f387db9175e4
 5      type: derived
 6status: test
 7description: Detects potentially suspicious execution of the Regasm/Regsvcs utilities from a potentially suspicious location
 8references:
 9    - https://www.fortiguard.com/threat-signal-report/4718?s=09
10    - https://lolbas-project.github.io/lolbas/Binaries/Regasm/
11    - https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/
12author: Nasreddine Bencherchali (Nextron Systems)
13date: 2022-08-25
14modified: 2023-02-13
15tags:
16    - attack.defense-evasion
17    - attack.t1218.009
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection_img:
23        - Image|endswith:
24              - '\Regsvcs.exe'
25              - '\Regasm.exe'
26        - OriginalFileName:
27              - 'RegSvcs.exe'
28              - 'RegAsm.exe'
29    selection_dir:
30        CommandLine|contains:
31            # Note: Add more potentially suspicious directories
32            - '\AppData\Local\Temp\'
33            - '\Microsoft\Windows\Start Menu\Programs\Startup\'
34            - '\PerfLogs\'
35            - '\Users\Public\'
36            - '\Windows\Temp\'
37            # - '\Desktop\'
38            # - '\Downloads\'
39    condition: all of selection_*
40falsepositives:
41    - Unknown
42level: medium

References

• Threat Signal Report | FortiGuard Labs

  

  FortiGuard Labs has found an active and widespread attack campaign that distributes a malware it dubs "RedInk", using the RegAsm.exe LOLBIN for exe...

  
  Read More

• Regasm on LOLBAS

  

  Regasm.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.

  
  Read More

• Regsvcs on LOLBAS

  

  Regsvcs.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.

  
  Read More

Related rules

• Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension
• RegAsm.EXE Initiating Network Connection To Public IP
• AD Object WriteDAC Access
• ADS Zone.Identifier Deleted By Uncommon Application
• AMSI Bypass Pattern Assembly GetType