{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/regasm/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["RegAsm"],"_cs_severities":["high"],"_cs_tags":["regasm","process-injection","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe detection analytic identifies instances where regasm.exe is executed without command-line arguments. This behavior is suspicious because RegAsm (Assembly Registration Tool) typically requires arguments specifying which assemblies to register or unregister. The absence of command-line arguments often indicates that the process has been injected into by another process, and its normal execution flow has been altered to evade standard defenses. The detection focuses on endpoint telemetry related to process execution, parent-child relationships, and command-line parameters. It is crucial for defenders because successful exploitation can lead to arbitrary code execution within a trusted process.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through an unspecified method.\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious code into a running process or spawns a new process (e.g., PowerShell).\u003c/li\u003e\n\u003cli\u003eThe injected code identifies and targets regasm.exe for process injection.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the process injection technique to execute regasm.exe without command-line arguments.\u003c/li\u003e\n\u003cli\u003eRegAsm, now running without arguments, may execute attacker-controlled code due to the injected malicious payload.\u003c/li\u003e\n\u003cli\u003eThe injected code performs malicious actions such as modifying system configurations, creating persistence mechanisms, or escalating privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised process to move laterally within the network and access sensitive data.\u003c/li\u003e\n\u003cli\u003eThe final objective could be data exfiltration, system disruption, or deployment of ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can allow attackers to execute arbitrary code within the context of a trusted system process, potentially bypassing application control policies and detection mechanisms. This can lead to privilege escalation, persistence, lateral movement, and data compromise. While the exact number of victims and sectors targeted are unknown, any environment where RegAsm is present is potentially vulnerable, especially developer workstations and servers.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM to detect instances of RegAsm executing without command-line arguments and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation logging to provide the necessary telemetry for the detection rules.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of RegAsm executing without arguments to determine the root cause and scope of the compromise.\u003c/li\u003e\n\u003cli\u003eReview and harden endpoint security policies to prevent process injection attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-09-regasm-no-args/","summary":"The execution of regasm.exe without command-line arguments is often indicative of process injection and potential code execution, which could lead to privilege escalation, persistence, or data compromise.","title":"RegAsm Executed Without Command Line Arguments","url":"https://feed.craftedsignal.io/briefs/2024-01-09-regasm-no-args/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft .NET Framework"],"_cs_severities":["medium"],"_cs_tags":["regasm","application-control-bypass","command-and-control","lolbin"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe \u003ccode\u003eregasm.exe\u003c/code\u003e (Assembly Registration Tool) is a legitimate Microsoft-signed binary used for registering .NET assemblies. Adversaries may abuse \u003ccode\u003eregasm.exe\u003c/code\u003e to bypass application control or establish command and control (C2) communication. This activity is detected by monitoring network connections initiated by \u003ccode\u003eregasm.exe\u003c/code\u003e to public IP addresses, excluding connections to known private IP ranges. The LOLBAS project has documented the potential misuse of this binary. This activity is significant as it can be used to proxy malicious commands or download payloads. The detection is based on Sysmon Event ID 3 (Network Connect).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe adversary gains initial access through unspecified means (e.g., phishing, exploit).\u003c/li\u003e\n\u003cli\u003eThe adversary executes \u003ccode\u003eregasm.exe\u003c/code\u003e on the compromised system.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eregasm.exe\u003c/code\u003e attempts to establish a network connection to a public IP address.\u003c/li\u003e\n\u003cli\u003eThe connection bypasses typical application control restrictions due to the binary being signed by Microsoft.\u003c/li\u003e\n\u003cli\u003eData is transmitted over the established connection, potentially downloading malicious payloads or sending command execution results.\u003c/li\u003e\n\u003cli\u003eThe adversary uses the connection to maintain remote access and control.\u003c/li\u003e\n\u003cli\u003eFurther malicious activities are executed, such as lateral movement or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack leveraging \u003ccode\u003eregasm.exe\u003c/code\u003e for network communication could allow an adversary to establish a persistent command and control channel within the environment. This could lead to further compromise, including data exfiltration, deployment of ransomware, or other malicious activities. The number of victims and targeted sectors are currently unknown.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon Event ID 3 (Network Connect) logging to collect the necessary network connection data (Sysmon EventID 3).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Regasm with Network Connection\u0026quot; to your SIEM and tune for your environment to reduce false positives (Sigma rule).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u0026quot;Detect Regasm with Network Connection\u0026quot; rule, focusing on the destination IP address and associated processes (Sigma rule).\u003c/li\u003e\n\u003cli\u003eImplement application control policies that monitor and restrict the execution of \u003ccode\u003eregasm.exe\u003c/code\u003e, even though it's a signed binary, especially when network connections are involved.\u003c/li\u003e\n\u003cli\u003eReview endpoint network connection logs for \u003ccode\u003eregasm.exe\u003c/code\u003e to identify any unusual or suspicious connections to external IP addresses.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-regasm-network/","summary":"The detection of regasm.exe, a Microsoft-signed binary, establishing a network connection to a public IP address (excluding private ranges) may indicate command and control activity or attempts to bypass application control.","title":"Regasm.exe Making External Network Connection","url":"https://feed.craftedsignal.io/briefs/2024-01-regasm-network/"}],"language":"en","title":"CraftedSignal Threat Feed - Regasm","version":"https://jsonfeed.org/version/1.1"}