Find sigma rule

Attack: Signed Binary Proxy Execution: Regsvcs/Regasm

Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies. Both are binaries that may be digitally signed by Microsoft. (Citation: MSDN Regsvcs) (Citation: MSDN Regasm)

Both utilities may be used to bypass application control through use of attributes within the binary to specify code that should be run before registration or unregistration: [ComRegisterFunction] or [ComUnregisterFunction] respectively. The code with the registration and unregistration attributes will be executed even if the process is run under insufficient privileges and fails to execute. (Citation: LOLBAS Regsvcs)(Citation: LOLBAS Regasm)

MITRE

Tactic

defense-evasion

technique

T1218.009

Test : Regsvcs Uninstall Method Call Test

OS

windows

Description:

Executes the Uninstall Method, No Admin Rights Required, Requires SNK. Upon execution, “I shouldn’t really execute” will be displayed along with other information about the assembly being installed.

Executor

powershell

Sigma Rule

proc_creation_win_powershell_encode.yml (id: fb843269-508c-4b76-8b8d-88679db22ce7)
proc_creation_win_powershell_cmdline_special_characters.yml (id: d7bcd677-645d-4691-a8d4-7a5602b780d1)
proc_creation_win_powershell_frombase64string.yml (id: e32d4572-9826-4738-b651-95fa63747e8a)
proc_creation_win_csc_susp_dynamic_compilation.yml (id: dcaa3f04-70c3-427a-80b4-b870d73c94c4)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test