Process

unknown

regasm.exe

regasm.exe is the .NET Assembly Registration tool, used to register a .NET assembly so that COM clients can call it. Developers use it when exposing managed code to COM. Attackers use it to run a malicious assembly through a signed Microsoft binary, bypassing application control.

CategoryUtilityTagsmicrosoftcore-windowslolbin

File identity

File details

Not observed.

Signing information

Not observed.

File version0

Not observed.

File size0

Not observed.

Execution context

File paths0

Not observed.

User context0

Not observed.

Integrity level0

Not observed.

Instances0

Not observed.

Session0

Not observed.

Token privileges0

Not observed.

Ancestry

Parents0

Not observed.

Children0

Not observed.

Grandparents0

Not observed.

Grandchildren0

Not observed.

Behavior

Loaded modules0

Not observed.

Named pipes0

Not observed.

Process handles0

Not observed.

Command-line patterns0

Not observed.

LOLBAS2
  • regasm.exe {PATH:.dll}AWL Bypass · Execute code and bypass Application whitelisting
  • regasm.exe /U {PATH:.dll}Execute · Execute code and bypass Application whitelisting

View LOLBAS entry

Indicators

Hashes

Not observed.

Analysis

About this process

regasm.exe reads a .NET assembly and writes the registry entries that let COM applications create and call its types. The detail that matters is that an assembly can define methods that run during registration and unregistration, so pointing regasm at an assembly executes that code. It ships with the .NET Framework, so the genuine binary lives under C:\Windows\Microsoft.NET\Framework and Framework64, not System32.

Legitimately, regasm is run by developers and installers to make managed components available to COM. The assembly it registers and where that assembly came from are what give an instance meaning.

Security notes

regasm.exe is a system-binary proxy (T1218.009). Because an assembly can carry code in its registration and unregistration functions, an attacker builds an assembly with the payload there and runs regasm /u evil.dll (or the register path) so the signed Microsoft tool executes it. The closely related regsvcs.exe abuses the same .NET registration callbacks. Both bypass application-control rules that trust Microsoft binaries and keep the payload inside a DLL.

Because the binary and the registration are legitimate, what to read is the context: the assembly path, the parent, and whether the host does any development. An assembly run from a temp or download folder, or regasm launched by an Office process, is the case to examine.

Anomaly signals4
  • An assembly loaded from a user-writable path (Temp, AppData, Downloads)high
  • Parent is an Office application, a script host, cmd.exe, or powershell.exehigh
  • Outbound network connections or child processes from regasmhigh
  • Running on a host with no development or installation activitymed

Telemetry

OS prevalence0

Not observed.

Observation timeline

Not observed.

References

Subsearch

Hasbeen seen inof regasm.exe?
Edit this page on GitHub