T1218.009SubTechniquedefense-evasionagent-callable

T1218.009Regsvcs/Regasm

Sub-technique of T1218

Platforms: Windows

ATT&CK version: 14.1

What it is

Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) assemblies. Both are binaries that may be digitally signed by Microsoft. (Citation: MSDN Regsvcs) (Citation: MSDN Regasm) Both utilities may be used to bypass application control through use of attributes within the binary to specify code that should be run before registration or unregistration: <code>[ComRegisterFunction]</code> or <code>[ComUnregisterFunction]</code> respectively. The code with the registration and unregistration attributes will be executed even if the process is run under insufficient privileges and fails to execute. (Citation: LOLBAS Regsvcs)(Citation: LOLBAS Regasm)

ATT&CK tactics· 1

Defense Evasion

References

  1. https://attack.mitre.org/techniques/T1218/009
  2. https://msdn.microsoft.com/en-us/library/04za0hca.aspx
  3. https://msdn.microsoft.com/en-us/library/tzat5yw6.aspx
  4. https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/
  5. https://lolbas-project.github.io/lolbas/Binaries/Regasm/
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.