Analytics Story: Suspicious Regsvcs Regasm Activity

Date: 2024-09-24 ID: 2cdf33a0-4805-4b61-b025-59c20f418fbe Author: Michael Haag, Splunk Product: Splunk Enterprise Security

Description

Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code.

Why it matters

Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies. Both are digitally signed by Microsoft. The following queries assist with detecting suspicious and malicious usage of Regasm.exe and Regsvcs.exe. Upon reviewing usage of Regasm.exe Regsvcs.exe, review file modification events for possible script code written. Review parallel process events for csc.exe being utilized to compile script code.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
Detect Regasm Spawning a Process	Regsvcs/Regasm	TTP
Detect Regasm with Network Connection	Regsvcs/Regasm	TTP
Detect Regasm with no Command Line Arguments	Regsvcs/Regasm	TTP
Detect Regsvcs Spawning a Process	Regsvcs/Regasm	TTP
Detect Regsvcs with Network Connection	Regsvcs/Regasm	TTP
Detect Regsvcs with No Command Line Arguments	Regsvcs/Regasm	TTP

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
CrowdStrike ProcessRollup2	N/A	`crowdstrike:events:sensor`	`crowdstrike`
Sysmon EventID 1	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 3	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log Security 4688	Windows	`xmlwineventlog`	`XmlWinEventLog:Security`

References

Source: GitHub | Version: 2