Find sigma rule

Attack: Signed Binary Proxy Execution: Regsvcs/Regasm

Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies. Both are binaries that may be digitally signed by Microsoft. (Citation: MSDN Regsvcs) (Citation: MSDN Regasm)

Both utilities may be used to bypass application control through use of attributes within the binary to specify code that should be run before registration or unregistration: [ComRegisterFunction] or [ComUnregisterFunction] respectively. The code with the registration and unregistration attributes will be executed even if the process is run under insufficient privileges and fails to execute. (Citation: LOLBAS Regsvcs)(Citation: LOLBAS Regasm)

MITRE

Tactic

defense-evasion

technique

T1218.009

Test : Regasm Uninstall Method Call Test

OS

windows

Description:

Executes the Uninstall Method, No Admin Rights Required. Upon execution, “I shouldn’t really execute either.” will be displayed.

Executor

command_prompt

Sigma Rule

proc_creation_win_csc_susp_dynamic_compilation.yml (id: dcaa3f04-70c3-427a-80b4-b870d73c94c4)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test