T1218.009 Regsvcs/Regasm Mappings

Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies. Both are digitally signed by Microsoft. (Citation: MSDN Regsvcs) (Citation: MSDN Regasm)

Both utilities may be used to bypass application control through use of attributes within the binary to specify code that should be run before registration or unregistration: <code>[ComRegisterFunction]</code> or <code>[ComUnregisterFunction]</code> respectively. The code with the registration and unregistration attributes will be executed even if the process is run under insufficient privileges and fails to execute. (Citation: LOLBAS Regsvcs)(Citation: LOLBAS Regasm)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
CM-2 Baseline Configuration Protects T1218.009 Regsvcs/Regasm
CM-6 Configuration Settings Protects T1218.009 Regsvcs/Regasm
CM-7 Least Functionality Protects T1218.009 Regsvcs/Regasm
CM-8 System Component Inventory Protects T1218.009 Regsvcs/Regasm
RA-5 Vulnerability Monitoring and Scanning Protects T1218.009 Regsvcs/Regasm
SI-10 Information Input Validation Protects T1218.009 Regsvcs/Regasm
SI-4 System Monitoring Protects T1218.009 Regsvcs/Regasm
SI-7 Software, Firmware, and Information Integrity Protects T1218.009 Regsvcs/Regasm
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1218.009 Signed Binary Proxy Execution: Regsvcs/Regasm