attack.t1218.009

RegAsm.EXE Initiating Network Connection To Public IP

Mar 4, 2025 · attack.defense-evasion attack.t1218.009 ·

Share on:

Detects "RegAsm.exe" initiating a network connection to public IP adresses

Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location

Aug 12, 2024 · attack.defense-evasion attack.t1218.009 ·

Share on:

Detects potentially suspicious execution of the Regasm/Regsvcs utilities from a potentially suspicious location

Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension

Aug 12, 2024 · attack.defense-evasion attack.t1218.009 ·

Share on:

Detects potentially suspicious execution of the Regasm/Regsvcs utilities with an uncommon extension.

DNS Query From Process with Double File Extension

Jan 30, 2023 · attack.defense_evasion attack.command_and_control attack.t1218 attack.t1218.009 attack.t1071 attack.t1071.004 ·

Share on:

Detects DNS queries from processes with double file extensions, a common method of masquerading or obfuscating a file type in malware delivery. Observed in early 2023 AsyncRAT/Quasar malware delivery using malicious OneNote files.

Download by Process with Double File Extension

Jan 30, 2023 · attack.defense_evasion attack.command_and_control attack.t1218 attack.t1218.009 attack.t1071 attack.t1071.004 ·

Share on:

Detects downloads by processes with double file extensions, a common method of masquerading or obfuscating a file type in malware delivery. Observed in early 2023 AsyncRAT/Quasar malware delivery using malicious OneNote files.

File Creation by Process with Double File Extension

Jan 30, 2023 · attack.defense_evasion attack.command_and_control attack.t1218 attack.t1218.009 attack.t1071 attack.t1071.004 ·

Share on:

Detects file creations by processes with double file extensions, a common method of masquerading or obfuscating a file type in malware delivery. Observed in early 2023 AsyncRAT/Quasar malware delivery using malicious OneNote files.

Network Connection From Process with Double File Extension

Jan 30, 2023 · attack.defense_evasion attack.command_and_control attack.t1218 attack.t1218.009 attack.t1071 attack.t1071.004 ·

Share on:

Detects network connections from processes with double file extensions, a common method of masquerading or obfuscating a file type in malware delivery. Observed in early 2023 AsyncRAT/Quasar malware delivery using malicious OneNote files.

Suspicious Process Injection to RegAsm

Jan 30, 2023 · attack.defense_evasion attack.t1218 attack.t1218.009 ·

Share on:

Detects potential process injection of RegAsm.exe as indicated by lack of command-line arguments. This was observed in a recent campaign to distribute AsyncRAT and Quasar RAT using malicious OneNot files.