RegSvcs.exe

  • File Path: C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  • Description: Microsoft .NET Services Installation Utility
  • Comments: Flavor=Retail

Hashes

Type Hash
MD5 96C201253A2A277D7E6D40167548991A
SHA1 F3B0E69F65E9A27A5AF1D96AF75F1A6A23CF77AA
SHA256 808AEC47F908410C01F820683F1C33198E05525D159863925690FDEB319EAC1A
SHA384 C9BBB2DBB07B313F4C09B5AD8A75F4D03A6C42CEBEBFEC44C5585D51230DAC830A495DC4AC0CE6BC36A76F6B8E7BAA46
SHA512 8C2AF8688802019FD0C18FCD279AC3821CAA0923631610589A6C23663D5200038AD7E3CFE698339EE92CF621EF4FFEDF11BC5082CB6ED860EB955DFC60FDACC4
SSDEEP 768:gBbSoy+SdIBf0k2ds9pO6Iq8YTcQqWVVQP/Q2:/oOIBf0dds9pdBcQxHQg2
IMP F34D5F2D4577ED6D9CEEC516C1F5A744
PESHA1 201DE8132D9800703C8F2118B8D527344198F97B
PE256 43EAAFD356AB12CBC976BCB8D259338BAC0D43F277DC1305360CBDB8EE73B43C

Runtime Data

Usage (stdout):

Microsoft (R) .NET Framework Services Installation Utility Version 4.8.4161.0
Copyright (C) Microsoft Corporation.  All rights reserved.

Invalid option: '--help'

USAGE: regsvcs.exe [options] AssemblyName
Options:
    /? or /help     Display this usage message.
    /fc             Find or create target application (default).
    /c              Create target application, error if it already exists.
    /exapp          Expect an existing application.
    /tlb:<tlbfile>  Filename for the exported type library.
    /appname:<name> Use the specified name for the target application.
    /parname:<name> Use the specified name or id for the target partition.
    /extlb          Use an existing type library.
    /reconfig       Reconfigure existing target application (default).
    /noreconfig     Don't reconfigure existing target application.
    /u              Uninstall target application.
    /nologo         Suppress logo output.
    /quiet          Suppress logo output and success output.
    /componly       Configure components only, no methods or interfaces.
    /appdir:<path>  Set application root directory to specified path.


Loaded Modules:

Path
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\wow64.dll
C:\WINDOWS\System32\wow64base.dll
C:\WINDOWS\System32\wow64con.dll
C:\WINDOWS\System32\wow64cpu.dll
C:\WINDOWS\System32\wow64win.dll

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: RegSvcs.exe
  • Product Name: Microsoft .NET Framework
  • Company Name: Microsoft Corporation
  • File Version: 4.8.4161.0 built by: NET48REL1
  • Product Version: 4.8.4161.0
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/808aec47f908410c01f820683f1c33198e05525d159863925690fdeb319eac1a/detection

File Similarity (ssdeep match)

File Score
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe 66
C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe 66
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe 60

Possible Misuse

The following table contains possible examples of RegSvcs.exe being misused. While RegSvcs.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma sysmon_suspicious_dbghelp_dbgcore_load.yml - '\regsvcs.exe' DRL 1.0
sigma win_bad_opsec_sacrificial_processes.yml - https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback DRL 1.0
sigma win_bad_opsec_sacrificial_processes.yml Image\|endswith: '\regsvcs.exe' DRL 1.0
sigma win_bad_opsec_sacrificial_processes.yml CommandLine\|endswith: '\regsvcs.exe' DRL 1.0
sigma win_possible_applocker_bypass.yml - '\regsvcs.exe' DRL 1.0
LOLBAS Regasm.yml - Link: https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/  
LOLBAS Regsvcs.yml Name: Regsvcs.exe  
LOLBAS Regsvcs.yml Description: Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies  
LOLBAS Regsvcs.yml - Command: regsvcs.exe AllTheThingsx64.dll  
LOLBAS Regsvcs.yml - Path: C:\Windows\System32\regsvcs.exe  
LOLBAS Regsvcs.yml - Path: C:\Windows\SysWOW64\regsvcs.exe  
LOLBAS Regsvcs.yml - Link: https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/  
atomic-red-team index.md - T1218.009 Regsvcs/Regasm MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #2: Regsvcs Uninstall Method Call Test [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - T1218.009 Regsvcs/Regasm MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #2: Regsvcs Uninstall Method Call Test [windows] MIT License. © 2018 Red Canary
atomic-red-team matrix.md | | | | | Regsvcs/Regasm | | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team windows-matrix.md | | | | | Regsvcs/Regasm | | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team T1218.009.md # T1218.009 - Regsvcs/Regasm MIT License. © 2018 Red Canary
atomic-red-team T1218.009.md <blockquote>Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies. Both are digitally signed by Microsoft. (Citation: MSDN Regsvcs) (Citation: MSDN Regasm) MIT License. © 2018 Red Canary
atomic-red-team T1218.009.md Both utilities may be used to bypass application control through use of attributes within the binary to specify code that should be run before registration or unregistration: [ComRegisterFunction] or [ComUnregisterFunction] respectively. The code with the registration and unregistration attributes will be executed even if the process is run under insufficient privileges and fails to execute. (Citation: LOLBAS Regsvcs)(Citation: LOLBAS Regasm)</blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1218.009.md - Atomic Test #2 - Regsvcs Uninstall Method Call Test MIT License. © 2018 Red Canary
atomic-red-team T1218.009.md ## Atomic Test #2 - Regsvcs Uninstall Method Call Test MIT License. © 2018 Red Canary
atomic-red-team T1218.009.md C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe #{output_file} MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.