Skip to content
Threat Feed
medium advisory

Regasm.exe Making External Network Connection

The detection of regasm.exe, a Microsoft-signed binary, establishing a network connection to a public IP address (excluding private ranges) may indicate command and control activity or attempts to bypass application control.

The regasm.exe (Assembly Registration Tool) is a legitimate Microsoft-signed binary used for registering .NET assemblies. Adversaries may abuse regasm.exe to bypass application control or establish command and control (C2) communication. This activity is detected by monitoring network connections initiated by regasm.exe to public IP addresses, excluding connections to known private IP ranges. The LOLBAS project has documented the potential misuse of this binary. This activity is significant as it can be used to proxy malicious commands or download payloads. The detection is based on Sysmon Event ID 3 (Network Connect).

Attack Chain

  1. The adversary gains initial access through unspecified means (e.g., phishing, exploit).
  2. The adversary executes regasm.exe on the compromised system.
  3. regasm.exe attempts to establish a network connection to a public IP address.
  4. The connection bypasses typical application control restrictions due to the binary being signed by Microsoft.
  5. Data is transmitted over the established connection, potentially downloading malicious payloads or sending command execution results.
  6. The adversary uses the connection to maintain remote access and control.
  7. Further malicious activities are executed, such as lateral movement or data exfiltration.

Impact

A successful attack leveraging regasm.exe for network communication could allow an adversary to establish a persistent command and control channel within the environment. This could lead to further compromise, including data exfiltration, deployment of ransomware, or other malicious activities. The number of victims and targeted sectors are currently unknown.

Recommendation

  • Enable Sysmon Event ID 3 (Network Connect) logging to collect the necessary network connection data (Sysmon EventID 3).
  • Deploy the Sigma rule "Detect Regasm with Network Connection" to your SIEM and tune for your environment to reduce false positives (Sigma rule).
  • Investigate any alerts generated by the "Detect Regasm with Network Connection" rule, focusing on the destination IP address and associated processes (Sigma rule).
  • Implement application control policies that monitor and restrict the execution of regasm.exe, even though it's a signed binary, especially when network connections are involved.
  • Review endpoint network connection logs for regasm.exe to identify any unusual or suspicious connections to external IP addresses.

Detection coverage 2

Detect Regasm with Network Connection

medium

Detects regasm.exe establishing a network connection to a public IP address, excluding private IP ranges.

sigma tactics: defense_evasion techniques: T1218.009 sources: network_connection, windows

Detect Regasm Execution

info

Detects the execution of regasm.exe.

sigma tactics: defense_evasion techniques: T1218.009 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →