Regasm.exe Process Spawning Detection
Detection of regasm.exe spawning a child process, an unusual behavior that may indicate attempts to bypass application control and execute arbitrary code.
The Windows utility regasm.exe (Assembly Registration Tool) is used for registering .NET assemblies. While legitimate, it's also been abused by attackers to bypass application control mechanisms or execute malicious code. This brief focuses on the detection of regasm.exe spawning child processes. The anomalous behavior is identified by monitoring process creation events, where regasm.exe is the parent process. This activity is significant because it's not typical for regasm.exe to spawn other processes. The abuse of this tool could potentially lead to privilege escalation or persistent access within the environment. This technique has been associated with malware such as DarkGate and Snake Keylogger, and threat actors like Void Manticore. Defenders should prioritize investigation of such events to determine the legitimacy of spawned processes and any associated activities.
Attack Chain
- An attacker gains initial access to the system, potentially through phishing or exploiting a vulnerability.
- The attacker executes
regasm.exefrom a compromised location or through command-line execution. regasm.exeis used to load a malicious .NET assembly.- The malicious assembly executes code that spawns a new process (e.g.,
cmd.exe,powershell.exe). - The spawned process executes arbitrary commands or malware.
- The attacker uses the spawned process to perform reconnaissance, lateral movement, or exfiltration.
- The attacker escalates privileges using the spawned process.
- The attacker achieves persistence by establishing a scheduled task or modifying registry keys through the spawned process.
Impact
Successful exploitation could lead to arbitrary code execution, privilege escalation, and persistent access within the environment. Attackers can leverage this for reconnaissance, lateral movement, data exfiltration, or deploying ransomware. The number of victims and affected sectors can vary depending on the scope of the initial compromise and the attacker's objectives.
Recommendation
- Deploy the Sigma rule "Regasm Spawning Suspicious Process" to your SIEM and tune for your environment, focusing on identifying unusual child processes of
regasm.exe. - Investigate any alerts generated by the Sigma rule to determine the legitimacy of the spawned processes and any associated malicious activities.
- Monitor process creation events using Sysmon Event ID 1 or Windows Event Log Security 4688, specifically focusing on
regasm.exeas the parent process. - Implement application control policies to restrict the execution of unauthorized or untrusted processes, mitigating the impact of
regasm.exeabuse. - Review and update existing endpoint detection and response (EDR) configurations to ensure comprehensive monitoring and detection capabilities.
- Educate security teams about the potential abuse of legitimate tools like
regasm.exeand the importance of investigating anomalous process creation events.
Detection coverage 2
Regasm Spawning Suspicious Process
highDetects regasm.exe spawning a child process, excluding known-good conhost.exe.
Regasm Spawning PowerShell
highDetects regasm.exe spawning PowerShell, which is highly suspicious.
Detection queries are available on the platform. Get full rules →