
Summary
This detection rule targets the potentially suspicious execution of the Regasm and Regsvcs utilities on Windows systems when executed with uncommon file extensions. These utilities are typically used for managing .NET assemblies and their misuse can indicate malicious activity, particularly in scenarios involving circumvention of security measures or defense evasion techniques. The rule looks for processes created using Regsvcs.exe or Regasm.exe, specifically when these commands include uncommon file types such as images or text files (e.g., .dat, .gif, .jpeg, .jpg, .png, .txt). The presence of these file extensions suggests a potential deviation from typical operational use, hence warranting further investigation.
Categories
- Endpoint
- Windows
Data Sources
- Process
Created: 2023-02-13