Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NETComponent Object Model (COM) assemblies. Both are binaries that may be digitally signed by Microsoft.[1][2]
Both utilities may be used to bypass application control through use of attributes within the binary to specify code that should be run before registration or unregistration:[ComRegisterFunction] or[ComUnregisterFunction] respectively. The code with the registration and unregistration attributes will be executed even if the process is run under insufficient privileges and fails to execute.[3][4]
| ID | Name | Description |
|---|---|---|
| S0331 | Agent Tesla | Agent Tesla has dropped RegAsm.exe onto systems for performing malicious activity.[5] |
| ID | Mitigation | Description |
|---|---|---|
| M1042 | Disable or Remove Feature or Program | Regsvcs and Regasm may not be necessary within a given environment. |
| M1038 | Execution Prevention | Block execution of Regsvcs.exe and Regasm.exe if they are not required for a given system or network to prevent potential misuse by adversaries. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0361 | Detecting .NET COM Registration Abuse via Regsvcs/Regasm | AN1028 | Abuse of Regsvcs.exe or Regasm.exe to execute arbitrary code embedded in .NET assemblies via [ComRegisterFunction]/[ComUnregisterFunction]. Behavioral chain: (1) Process creation of regsvcs/regasm with suspicious assembly paths/flags → (2) Assembly/DLL load inside regsvcs/regasm → (3) Registry writes to HKCR\CLSID/ProgID during COM registration → (4) Optional child process or network activity spawned by installer/registration code. |