RegAsm.EXE Execution Without CommandLine Flags or Files

Original Source: [Sigma source]
Title: RegAsm.EXE Execution Without CommandLine Flags or Files
Status: experimental
Description:Detects the execution of "RegAsm.exe" without a commandline flag or file, which might indicate potential process injection activity. Usually "RegAsm.exe" should point to a dedicated DLL file or call the help with the "/?" flag.
References:
  -https://www.mcafee.com/blogs/other-blogs/mcafee-labs/agent-teslas-unique-approach-vbs-and-steganography-for-delivery-and-intrusion/
   -https://www.zscaler.fr/blogs/security-research/threat-actors-exploit-cve-2017-11882-deliver-agent-tesla
   -https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool
   -https://app.any.run/tasks/ea944b89-69d8-49c8-ac1f-5c76ad300db2
   -https://www.joesandbox.com/analysis/1467354/0/html
 Author: frack113
Date: 2025-06-04
modified:None
Tags:
  • -'attack.defense-evasion'
  • -'attack.t1218.009'
Logsource:
  • product: windows
  • category: process_creation
Detection:
  selection_img:
Image|endswith:'\RegAsm.exe' OriginalFileName:'RegAsm.exe'   selection_cli:
    CommandLine|endswith:
      -'RegAsm'
      -'RegAsm.exe'
      -'RegAsm.exe"'
      -'RegAsm.exe''

  condition:all of selection_*
Falsepositives:
  -Legitimate use of Regasm by developers.
Level: low

© 2024 DetectionCode Website. All Rights Reserved.