Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location

 1title: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
 2id: cc368ed0-2411-45dc-a222-510ace303cb2
 3related:
 4    - id: e9f8f8cc-07cc-4e81-b724-f387db9175e4
 5      type: derived
 6status: test
 7description: Detects potentially suspicious execution of the Regasm/Regsvcs utilities from a potentially suspicious location
 8references:
 9    - https://www.fortiguard.com/threat-signal-report/4718?s=09
10    - https://lolbas-project.github.io/lolbas/Binaries/Regasm/
11    - https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/
12author: Nasreddine Bencherchali (Nextron Systems)
13date: 2022/08/25
14modified: 2023/02/13
15tags:
16    - attack.defense_evasion
17    - attack.t1218.009
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection_img:
23        - Image|endswith:
24              - '\Regsvcs.exe'
25              - '\Regasm.exe'
26        - OriginalFileName:
27              - 'RegSvcs.exe'
28              - 'RegAsm.exe'
29    selection_dir:
30        CommandLine|contains:
31            # Note: Add more potentially suspicious directories
32            - '\AppData\Local\Temp\'
33            - '\Microsoft\Windows\Start Menu\Programs\Startup\'
34            - '\PerfLogs\'
35            - '\Users\Public\'
36            - '\Windows\Temp\'
37            # - '\Desktop\'
38            # - '\Downloads\'
39    condition: all of selection_*
40falsepositives:
41    - Unknown
42level: medium

References

• Fortiguard

  

  FortiGuard Labs has found an active and widespread attack campaign that distributes a malware it dubs "RedInk", using the RegAsm.exe LOLBIN for exe...

  
  Read More

• Regasm | LOLBAS

  Input: Custom Format This LOLBAS expects the input file to follow a set structure; check the description and linked resources for more details.

  
  Read More

• Regsvcs | LOLBAS

  Input: Custom Format This LOLBAS expects the input file to follow a set structure; check the description and linked resources for more details.

  
  Read More

Related rules

• Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension
• DNS Query From Process with Double File Extension
• Download by Process with Double File Extension
• File Creation by Process with Double File Extension
• Network Connection From Process with Double File Extension