Process

unknown

regsvcs.exe

regsvcs.exe is the .NET Services Installation tool, used to register a .NET assembly as a COM+ / Enterprise Services component. Developers use it for serviced components. Attackers use it the same way as regasm, to run a malicious assembly through a signed Microsoft binary and bypass application control.

CategoryUtilityTagsmicrosoftcore-windowslolbin

File identity

File details

Not observed.

Signing information

Not observed.

File version0

Not observed.

File size0

Not observed.

Execution context

File paths0

Not observed.

User context0

Not observed.

Integrity level0

Not observed.

Instances0

Not observed.

Session0

Not observed.

Token privileges0

Not observed.

Ancestry

Parents0

Not observed.

Children0

Not observed.

Grandparents0

Not observed.

Grandchildren0

Not observed.

Behavior

Loaded modules0

Not observed.

Named pipes0

Not observed.

Process handles0

Not observed.

Command-line patterns0

Not observed.

LOLBAS2
  • regsvcs.exe {PATH:.dll}Execute · Execute dll file and bypass Application whitelisting
  • regsvcs.exe {PATH:.dll}AWL Bypass · Execute dll file and bypass Application whitelisting

View LOLBAS entry

Indicators

Hashes

Not observed.

Analysis

About this process

regsvcs.exe installs a .NET assembly into COM+ Component Services and registers it. As with regasm.exe, an assembly can include methods that run during registration, so pointing regsvcs at an assembly executes that code. It ships with the .NET Framework, so the genuine binary lives under C:\Windows\Microsoft.NET\Framework and Framework64, not System32.

Legitimately, regsvcs is run by developers and installers deploying COM+ serviced components, which is uncommon on ordinary machines. The assembly it registers and its origin are what give an instance meaning.

Security notes

regsvcs.exe is a system-binary proxy (T1218.009), paired with regasm.exe under the same ATT&CK sub-technique. Because the registration of a serviced component runs code in the target assembly, an attacker ships an assembly with the payload in that code and has the signed Microsoft tool execute it, bypassing application-control rules that trust Microsoft binaries and keeping the payload in a DLL.

Since COM+ component installation is rare on most hosts, regsvcs running at all is already worth a look, and an assembly from a temp or download folder, or a parent like an Office application, confirms it.

Anomaly signals4
  • An assembly loaded from a user-writable path (Temp, AppData, Downloads)high
  • Parent is an Office application, a script host, cmd.exe, or powershell.exehigh
  • Outbound network connections or child processes from regsvcshigh
  • Running on a host with no COM+ or development activitymed

Telemetry

OS prevalence0

Not observed.

Observation timeline

Not observed.

References

Subsearch

Hasbeen seen inof regsvcs.exe?
Edit this page on GitHub