legitimate use of regasm by developers.

t1218
t1218.009
windows
sigma

Techniques

t1218
t1218.009

Sample rules

RegAsm.EXE Execution Without CommandLine Flags or Files

source: sigma
technicques:
- t1218
- t1218.009

Description

Detects the execution of “RegAsm.exe” without a commandline flag or file, which might indicate potential process injection activity. Usually “RegAsm.exe” should point to a dedicated DLL file or call the help with the “/?” flag.

Detection logic

condition: all of selection_*
selection_cli:
  CommandLine|endswith:
  - RegAsm
  - RegAsm.exe
  - RegAsm.exe"
  - RegAsm.exe'
selection_img:
- Image|endswith: \RegAsm.exe
- OriginalFileName: RegAsm.exe