Analytics Story: Suspicious Regsvcs Regasm Activity

Date: 2024-09-24 ID: 2cdf33a0-4805-4b61-b025-59c20f418fbe Author: Michael Haag, Splunk Product: Splunk Enterprise Security

Description

Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code.

Why it matters

Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies. Both are digitally signed by Microsoft. The following queries assist with detecting suspicious and malicious usage of Regasm.exe and Regsvcs.exe. Upon reviewing usage of Regasm.exe Regsvcs.exe, review file modification events for possible script code written. Review parallel process events for csc.exe being utilized to compile script code.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Detect Regasm Spawning a Process System Binary Proxy Execution, Regsvcs/Regasm TTP
Detect Regasm with Network Connection System Binary Proxy Execution, Regsvcs/Regasm TTP
Detect Regasm with no Command Line Arguments System Binary Proxy Execution, Regsvcs/Regasm TTP
Detect Regsvcs Spawning a Process System Binary Proxy Execution, Regsvcs/Regasm TTP
Detect Regsvcs with Network Connection System Binary Proxy Execution, Regsvcs/Regasm TTP
Detect Regsvcs with No Command Line Arguments System Binary Proxy Execution, Regsvcs/Regasm TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 3 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References

Source: GitHub | Version: 2