Nasreddine Bencherchali
49 lines
1.5 KiB
YAML
49 lines
1.5 KiB
YAML
title: Regasm/Regsvcs Suspicious Execution
|
|
id: cc368ed0-2411-45dc-a222-510ace303cb2
|
|
status: experimental
|
|
description: Detects suspicious execution of Regasm/Regsvcs utilities
|
|
references:
|
|
- https://www.fortiguard.com/threat-signal-report/4718?s=09
|
|
- https://lolbas-project.github.io/lolbas/Binaries/Regasm/
|
|
- https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/
|
|
author: Nasreddine Bencherchali (Nextron Systems)
|
|
date: 2022/08/25
|
|
modified: 2023/02/13
|
|
tags:
|
|
- attack.defense_evasion
|
|
- attack.t1218.009
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection_img:
|
|
- Image|endswith:
|
|
- '\Regsvcs.exe'
|
|
- '\Regasm.exe'
|
|
- OriginalFileName:
|
|
- 'RegSvcs.exe'
|
|
- 'RegAsm.exe'
|
|
selection_dir:
|
|
CommandLine|contains:
|
|
# Add more suspicious directories
|
|
- '\Users\Public\'
|
|
- '\AppData\Local\Temp\'
|
|
- '\Desktop\'
|
|
- '\Downloads\'
|
|
- '\PerfLogs\'
|
|
- '\Windows\Temp\'
|
|
- '\Microsoft\Windows\Start Menu\Programs\Startup\'
|
|
filter_dll:
|
|
CommandLine|contains: '.dll'
|
|
filter_no_cli:
|
|
# For when the CLI just contains the Image
|
|
CommandLine|endswith:
|
|
- '\Regasm.exe"'
|
|
- '\Regasm.exe'
|
|
- '\Regsvcs.exe"'
|
|
- '\Regsvcs.exe'
|
|
condition: all of selection_* or (selection_img and not 1 of filter_*)
|
|
falsepositives:
|
|
- Unknown
|
|
level: high
|