Regsvcs/Regasm - T1218.009 (c48a67ee-b657-45c1-91bf-6cdbe27205f8)
Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies. Both are binaries that may be digitally signed by Microsoft. (Citation: MSDN Regsvcs) (Citation: MSDN Regasm)
Both utilities may be used to bypass application control through use of attributes within the binary to specify code that should be run before registration or unregistration: [ComRegisterFunction] or [ComUnregisterFunction] respectively. The code with the registration and unregistration attributes will be executed even if the process is run under insufficient privileges and fails to execute. (Citation: LOLBAS Regsvcs)(Citation: LOLBAS Regasm)
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) | Attack Pattern | Regsvcs/Regasm - T1218.009 (c48a67ee-b657-45c1-91bf-6cdbe27205f8) | Attack Pattern | 1 |