Techniques
Sample rules
Detect Regasm with no Command Line Arguments
- source: splunk
- technicques:
- T1218
- T1218.009
Description
The following analytic identifies regasm.exe with no command line arguments. This particular behavior occurs when another process injects into regasm.exe, no command line arguments will be present. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe
and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe
.
Detection logic
| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_regasm` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| regex process="(?i)(regasm\.exe.{0,4}$)"
| `detect_regasm_with_no_command_line_arguments_filter`