Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies. Both are digitally signed by Microsoft. (Citation: MSDN Regsvcs) (Citation: MSDN Regasm)
Both utilities may be used to bypass application control through use of attributes within the binary to specify code that should be run before registration or unregistration: <code>[ComRegisterFunction]</code> or <code>[ComUnregisterFunction]</code> respectively. The code with the registration and unregistration attributes will be executed even if the process is run under insufficient privileges and fails to execute. (Citation: LOLBAS Regsvcs)(Citation: LOLBAS Regasm)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| CM-2 | Baseline Configuration | Protects | T1218.009 | Regsvcs/Regasm |
| CM-6 | Configuration Settings | Protects | T1218.009 | Regsvcs/Regasm |
| CM-7 | Least Functionality | Protects | T1218.009 | Regsvcs/Regasm |
| CM-8 | System Component Inventory | Protects | T1218.009 | Regsvcs/Regasm |
| RA-5 | Vulnerability Monitoring and Scanning | Protects | T1218.009 | Regsvcs/Regasm |
| SI-10 | Information Input Validation | Protects | T1218.009 | Regsvcs/Regasm |
| SI-4 | System Monitoring | Protects | T1218.009 | Regsvcs/Regasm |
| SI-7 | Software, Firmware, and Information Integrity | Protects | T1218.009 | Regsvcs/Regasm |
| action.hacking.variety.Abuse of functionality | Abuse of functionality | related-to | T1218.009 | Signed Binary Proxy Execution: Regsvcs/Regasm |