RegSvcs.exe
- File Path:
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe - Description: Microsoft .NET Services Installation Utility
- Comments: Flavor=Retail
Hashes
| Type | Hash |
|---|---|
| MD5 | 96C201253A2A277D7E6D40167548991A |
| SHA1 | F3B0E69F65E9A27A5AF1D96AF75F1A6A23CF77AA |
| SHA256 | 808AEC47F908410C01F820683F1C33198E05525D159863925690FDEB319EAC1A |
| SHA384 | C9BBB2DBB07B313F4C09B5AD8A75F4D03A6C42CEBEBFEC44C5585D51230DAC830A495DC4AC0CE6BC36A76F6B8E7BAA46 |
| SHA512 | 8C2AF8688802019FD0C18FCD279AC3821CAA0923631610589A6C23663D5200038AD7E3CFE698339EE92CF621EF4FFEDF11BC5082CB6ED860EB955DFC60FDACC4 |
| SSDEEP | 768:gBbSoy+SdIBf0k2ds9pO6Iq8YTcQqWVVQP/Q2:/oOIBf0dds9pdBcQxHQg2 |
| IMP | F34D5F2D4577ED6D9CEEC516C1F5A744 |
| PESHA1 | 201DE8132D9800703C8F2118B8D527344198F97B |
| PE256 | 43EAAFD356AB12CBC976BCB8D259338BAC0D43F277DC1305360CBDB8EE73B43C |
Runtime Data
Usage (stdout):
Microsoft (R) .NET Framework Services Installation Utility Version 4.8.4161.0
Copyright (C) Microsoft Corporation. All rights reserved.
Invalid option: '--help'
USAGE: regsvcs.exe [options] AssemblyName
Options:
/? or /help Display this usage message.
/fc Find or create target application (default).
/c Create target application, error if it already exists.
/exapp Expect an existing application.
/tlb:<tlbfile> Filename for the exported type library.
/appname:<name> Use the specified name for the target application.
/parname:<name> Use the specified name or id for the target partition.
/extlb Use an existing type library.
/reconfig Reconfigure existing target application (default).
/noreconfig Don't reconfigure existing target application.
/u Uninstall target application.
/nologo Suppress logo output.
/quiet Suppress logo output and success output.
/componly Configure components only, no methods or interfaces.
/appdir:<path> Set application root directory to specified path.
Loaded Modules:
| Path |
|---|
| C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| C:\WINDOWS\SYSTEM32\ntdll.dll |
| C:\WINDOWS\System32\wow64.dll |
| C:\WINDOWS\System32\wow64base.dll |
| C:\WINDOWS\System32\wow64con.dll |
| C:\WINDOWS\System32\wow64cpu.dll |
| C:\WINDOWS\System32\wow64win.dll |
Signature
- Status: Signature verified.
- Serial:
33000002ED2C45E4C145CF48440000000002ED - Thumbprint:
312860D2047EB81F8F58C29FF19ECDB4C634CF6A - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: RegSvcs.exe
- Product Name: Microsoft .NET Framework
- Company Name: Microsoft Corporation
- File Version: 4.8.4161.0 built by: NET48REL1
- Product Version: 4.8.4161.0
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 32-bit
File Scan
- VirusTotal Detections: 0/73
- VirusTotal Link: https://www.virustotal.com/gui/file/808aec47f908410c01f820683f1c33198e05525d159863925690fdeb319eac1a/detection
File Similarity (ssdeep match)
| File | Score |
|---|---|
| C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | 66 |
| C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe | 66 |
| C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe | 60 |
Possible Misuse
The following table contains possible examples of RegSvcs.exe being misused. While RegSvcs.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | image_load_suspicious_dbghelp_dbgcore_load.yml | - '\regsvcs.exe' |
DRL 1.0 |
| sigma | proc_creation_win_bad_opsec_sacrificial_processes.yml | - https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback |
DRL 1.0 |
| sigma | proc_creation_win_bad_opsec_sacrificial_processes.yml | Image\|endswith: '\regsvcs.exe' |
DRL 1.0 |
| sigma | proc_creation_win_bad_opsec_sacrificial_processes.yml | CommandLine\|endswith: '\regsvcs.exe' |
DRL 1.0 |
| sigma | proc_creation_win_possible_applocker_bypass.yml | - '\regsvcs.exe' |
DRL 1.0 |
| LOLBAS | Regasm.yml | - Link: https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/ |
|
| LOLBAS | Regsvcs.yml | Name: Regsvcs.exe |
|
| LOLBAS | Regsvcs.yml | Description: Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies |
|
| LOLBAS | Regsvcs.yml | - Command: regsvcs.exe AllTheThingsx64.dll |
|
| LOLBAS | Regsvcs.yml | - Path: C:\Windows\System32\regsvcs.exe |
|
| LOLBAS | Regsvcs.yml | - Path: C:\Windows\SysWOW64\regsvcs.exe |
|
| LOLBAS | Regsvcs.yml | - Link: https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/ |
|
| atomic-red-team | index.md | - T1218.009 Regsvcs/Regasm | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #2: Regsvcs Uninstall Method Call Test [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - T1218.009 Regsvcs/Regasm | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #2: Regsvcs Uninstall Method Call Test [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | matrix.md | | | | | | Regsvcs/Regasm | | | | | | | | | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-matrix.md | | | | | | Regsvcs/Regasm | | | | | | | | | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.009.md | # T1218.009 - Regsvcs/Regasm | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.009.md | <blockquote>Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies. Both are digitally signed by Microsoft. (Citation: MSDN Regsvcs) (Citation: MSDN Regasm) | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.009.md | Both utilities may be used to bypass application control through use of attributes within the binary to specify code that should be run before registration or unregistration: [ComRegisterFunction] or [ComUnregisterFunction] respectively. The code with the registration and unregistration attributes will be executed even if the process is run under insufficient privileges and fails to execute. (Citation: LOLBAS Regsvcs)(Citation: LOLBAS Regasm)</blockquote> |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.009.md | - Atomic Test #2 - Regsvcs Uninstall Method Call Test | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.009.md | ## Atomic Test #2 - Regsvcs Uninstall Method Call Test | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.009.md | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe #{output_file} | MIT License. © 2018 Red Canary |
MIT License. Copyright (c) 2020-2021 Strontic.