detection.wiki

System Binary Proxy Execution: Regsvcs/Regasm T1218.009

Tactic: Stealth

Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies. Both are binaries that may be digitally signed by Microsoft.

Events covered

3 catalog events are tagged with this technique by at least one rule.

ProviderEventTitle
SysmonEvent ID 1Process creation
SysmonEvent ID 3Network connection
Security-AuditingEvent ID 4688A new process has been created.

Authoring guide

Patterns shared across the 17 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (13 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
process_name11eq 11arp.exe, atbroker.exe, bginfo.exe, regasm.exe, regsvcs.exe
parent_process_name7eq 7AcroRd32.exe, Acrobat.exe, FoxitPhantomPDF.exe, cmd.exe, eqnedt32.exe
OriginalFileName6eq 5, in 1regasm.exe, regsvcs.exe, cscript.exe, installutil.exe, msbuild.exe
event.type6eq 6start
CommandLine5contains 2, in 2, ends_with 1*regasm, *regasm.exe, *regasm.exe\", *regsvcs, *regsvcs.exe
Image5ends_with 4, wildcard 1\regasm.exe, \regsvcs.exe, ?:\users\*\appdata\*.exe
process.args3starts_with 2, eq 1C:\Intel\, -n, C:\$Recycle.Bin\, C:\AMD\Temp\, C:\PerfLogs\
EventID2eq 23
DestinationPortName1ne 1dns
EventType1eq 1start
Initiated1eq 1true
dest_ip1cidr_match 110.0.0.0/8, 127.0.0.0/8, 169.254.0.0/16
process.code_signature.trusted1ne 1true

Top indicator values (194 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
process_nameeq
regasm.exe
811
process_nameeq
regsvcs.exe
810
process_nameeq
regsvr32.exe
625
process_nameeq
cscript.exe
525
process_nameeq
installutil.exe
518
process_nameeq
mshta.exe
531
process_nameeq
powershell.exe
5104
process_nameeq
wscript.exe
529
process_nameeq
certutil.exe
422
process_nameeq
cmd.exe
477
process_nameeq
cmstp.exe
410
process_nameeq
ieexec.exe
48
process_nameeq
iexpress.exe
48
process_nameeq
microsoft.workflow.compiler.exe
48
process_nameeq
msxsl.exe
49
process_nameeq
ping.exe
49
process_nameeq
pwsh.exe
462
process_nameeq
wmic.exe
447
process_nameeq
arp.exe
38
process_nameeq
atbroker.exe
35
process_nameeq
bginfo.exe
36
process_nameeq
bitsadmin.exe
314
process_nameeq
cdb.exe
37
process_nameeq
csi.exe
36
process_nameeq
dnx.exe
36
process_nameeq
dsget.exe
37
event.typeeq
start
6606
Imageends_with
\regasm.exe
49
OriginalFileNameeq
regasm.exe
48
OriginalFileNameeq
regsvcs.exe
37

Exclusions (101 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
dest_ipcidr_match
10.0.0.0/8
2
dest_ipcidr_match
127.0.0.0/8
2
dest_ipcidr_match
169.254.0.0/16
2
dest_ipcidr_match
172.16.0.0/12
2
dest_ipcidr_match
192.168.0.0/16
2
dest_ipin
10.0.0.0/8
2
dest_ipin
100.64.0.0/10
2
dest_ipin
127.0.0.0/8
2
dest_ipin
169.254.0.0/16
2
dest_ipin
172.16.0.0/12
2
dest_ipin
192.0.0.0/24
2
dest_ipin
192.0.0.0/29
2
dest_ipin
192.0.0.10/32
2
dest_ipin
192.0.0.170/32
2
dest_ipin
192.0.0.171/32
2

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Platform (all)
Domain (all)

Sigma 4 rules

Elastic 7 rules

Splunk 6 rules