LoFP / although unlikely, limited instances of regasm.exe or may cause a false positive. filter based endpoint usage, command line arguments, or process lineage.

Techniques

• T1218
• T1218.009

Sample rules

Detect Regasm with no Command Line Arguments

• source: splunk
• technicques:
  • T1218
  • T1218.009

Description

The following analytic identifies regasm.exe with no command line arguments. This particular behavior occurs when another process injects into regasm.exe, no command line arguments will be present. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe.

Detection logic

| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_regasm` by _time span=1h  Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process  Processes.parent_process_name 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| regex process="(?i)(regasm\.exe.{0,4}$)" 
| `detect_regasm_with_no_command_line_arguments_filter`