Description
Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies. Both are binaries that may be digitally signed by Microsoft. (Citation: MSDN Regsvcs) (Citation: MSDN Regasm)
Both utilities may be used to bypass application control through use of attributes within the binary to specify code that should be run before registration or unregistration: [ComRegisterFunction] or [ComUnregisterFunction] respectively. The code with the registration and unregistration attributes will be executed even if the process is run under insufficient privileges and fails to execute. (Citation: LOLBAS Regsvcs)(Citation: LOLBAS Regasm)
Platforms
Mitigations (2)
Execution PreventionM1038
Block execution of Regsvcs.exe and Regasm.exe if they are not required for a given system or network to prevent potential misuse by adversaries.
Disable or Remove Feature or ProgramM1042
Regsvcs and Regasm may not be necessary within a given environment.
Associated Software (1)
| ID | Name | Type | Context |
|---|---|---|---|
| S0331 | Agent Tesla | Malware | [Agent Tesla](https://attack.mitre.org/software/S0331) has dropped RegAsm.exe onto systems for performing malicious activity.(Citation: SentinelLabs A... |
References
- LOLBAS. (n.d.). Regasm.exe. Retrieved July 31, 2019.
- LOLBAS. (n.d.). Regsvcs.exe. Retrieved July 31, 2019.
- Microsoft. (n.d.). Regasm.exe (Assembly Registration Tool). Retrieved July 1, 2016.
- Microsoft. (n.d.). Regsvcs.exe (.NET Services Installation Tool). Retrieved July 1, 2016.
Frequently Asked Questions
What is T1218.009 (Regsvcs/Regasm)?
T1218.009 is a MITRE ATT&CK technique named 'Regsvcs/Regasm'. It belongs to the Stealth tactic(s). Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET [Component O...
How can T1218.009 be detected?
Detection of T1218.009 (Regsvcs/Regasm) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1218.009?
There are 2 documented mitigations for T1218.009. Key mitigations include: Execution Prevention, Disable or Remove Feature or Program.
Which threat groups use T1218.009?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.