Try in Splunk Security Cloud

Description

Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2021-02-11
  • Author: Michael Haag, Splunk
  • ID: 2cdf33a0-4805-4b61-b025-59c20f418fbe

Narrative

Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies. Both are digitally signed by Microsoft. The following queries assist with detecting suspicious and malicious usage of Regasm.exe and Regsvcs.exe. Upon reviewing usage of Regasm.exe Regsvcs.exe, review file modification events for possible script code written. Review parallel process events for csc.exe being utilized to compile script code.

Detections

Name Technique Type
Detect Regasm Spawning a Process Signed Binary Proxy Execution, Regsvcs/Regasm TTP
Detect Regasm with Network Connection Signed Binary Proxy Execution, Regsvcs/Regasm TTP
Detect Regasm with no Command Line Arguments Signed Binary Proxy Execution, Regsvcs/Regasm TTP
Detect Regsvcs Spawning a Process Signed Binary Proxy Execution, Regsvcs/Regasm TTP
Detect Regsvcs with Network Connection Signed Binary Proxy Execution, Regsvcs/Regasm TTP
Detect Regsvcs with No Command Line Arguments Signed Binary Proxy Execution, Regsvcs/Regasm TTP

Reference

source | version: 1