Abuse of Regsvcs.exe or Regasm.exe to execute arbitrary code embedded in .NET assemblies via [ComRegisterFunction]/[ComUnregisterFunction]. Behavioral chain: (1) Process creation of regsvcs/regasm with suspicious assembly paths/flags → (2) Assembly/DLL load inside regsvcs/regasm → (3) Registry writes to HKCR\CLSID/ProgID during COM registration → (4) Optional child process or network activity spawned by installer/registration code.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| Windows Registry Key Creation (DC0056) | WinEventLog:Sysmon | EventCode=12 |
| Windows Registry Key Modification (DC0063) | WinEventLog:Sysmon | EventCode=13 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Command Execution (DC0064) | WinEventLog:PowerShell | EventCode=4104 |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Field | Description |
|---|---|
| AssemblyPathRegex | Environment-specific paths to flag (e.g., %TEMP%, Downloads, OneDrive, SMB shares). Helps suppress known-good installers. |
| SuspiciousFlags | Arguments like /unregister (/u), /codebase, /regfile which may indicate abuse. Tune per enterprise use of regasm/regsvcs. |
| ParentProcessAllowList | Legitimate parents (e.g., setup.exe, msiexec.exe). Analyst can prune false positives from Office or script hosts. |
| KnownGoodAssemblies | Hashes or publisher info for approved assemblies commonly registered in the environment. |
| RegistryKeyAllowList | Approved CLSIDs/ProgIDs written during sanctioned software installs. |
| TimeWindow | Correlation window (e.g., 5–10 min) between file drop → regasm/regsvcs exec → registry writes → child activity. |
| SignedToUnsignedTransition | Alert if Microsoft-signed regasm/regsvcs loads or triggers unsigned assemblies/children. |