Detectionlowexperimental
RegAsm.EXE Execution Without CommandLine Flags or Files
Detects the execution of "RegAsm.exe" without a commandline flag or file, which might indicate potential process injection activity. Usually "RegAsm.exe" should point to a dedicated DLL file or call the help with the "/?" flag.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic2 selectors
detection:
selection_img:
- Image|endswith: '\RegAsm.exe'
- OriginalFileName: 'RegAsm.exe'
selection_cli:
CommandLine|endswith:
- 'RegAsm'
- 'RegAsm.exe'
- 'RegAsm.exe"'
- "RegAsm.exe'"
condition: all of selection_*False Positives
Legitimate use of Regasm by developers.
MITRE ATT&CK
Tactics
Sub-techniques
Rule Metadata
Rule ID
651f87f7-12db-47f9-84c5-f27b081b94b6
Status
experimental
Level
low
Type
Detection
Created
Wed Jun 04
Author
Path
rules/windows/process_creation/proc_creation_win_regasm_no_flag_or_dll_execution.yml
Raw Tags
attack.defense-evasionattack.t1218.009