Registration of Uncommon .NET Services and/or Assemblies

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-09-24
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Hour

Required Data

  • Requires:
    • XDR Agent

Detection Modules

Detector Tags

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

System Binary Proxy Execution: Regsvcs/Regasm (T1218.009)

Severity

Informational

Description

Regasm.exe and regsvcs.exe are used to register .NET COM assemblies, which are typically located in specific paths, attackers might leverage that to execute code within a Microsoft signed binary.

Attacker's Goals

Load untrusted code into a trusted Microsoft context to evade detection.

Investigative actions

  • Verify if the loaded dll is known to be malicious.
  • Track down which process dropped the library being loaded.
  • Validate if the actions being done by the regasm.exe process are malicious.