Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1028: Analytic 1028

Abuse of Regsvcs.exe or Regasm.exe to execute arbitrary code embedded in .NET assemblies via [ComRegisterFunction]/[ComUnregisterFunction]. Behavioral chain: (1) Process creation of regsvcs/regasm with suspicious assembly paths/flags → (2) Assembly/DLL load inside regsvcs/regasm → (3) Registry writes to HKCR\CLSID/ProgID during COM registration → (4) Optional child process or network activity spawned by installer/registration code.

EnterpriseAN1028AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic focuses on suspicious use of Windows .NET registration utilities, Regsvcs.exe and Regasm.exe, where registration behavior may be abused to run code embedded in .NET assemblies. For leaders, the value is not the tool names alone; it is whether the organization can distinguish normal software registration from registration activity that creates persistence-like COM artifacts, loads unexpected assemblies, or spawns follow-on activity.

Executive priority

Prioritize this as a Windows endpoint detection and response readiness question: can the SOC see process execution, .NET assembly or DLL loading, registry changes under COM registration locations, and any unexpected child process or network activity tied to Regsvcs.exe or Regasm.exe? This supports incident triage, audit evidence for endpoint monitoring, and control validation around trusted Windows utilities being used in unusual ways.

Technical view

Validate coverage for the described behavioral chain on Windows: process creation of regsvcs.exe or regasm.exe with unusual assembly paths or flags; assembly/DLL loads inside those processes; registry writes to HKCR\CLSID or ProgID locations during COM registration; and optional child process or network activity initiated by registration code. Because the official detection field is not provided and no ATT&CK relationships are supplied, teams should treat this as a behavior-validation analytic rather than a complete detection rule.

Likely telemetry

  • Windows process creation telemetry for Regsvcs.exe and Regasm.exe, including command line and parent process
  • Image/module or assembly load telemetry for DLLs and .NET assemblies loaded by Regsvcs.exe or Regasm.exe
  • Windows registry modification telemetry for HKCR\CLSID and ProgID-related COM registration paths
  • Child process telemetry linked to Regsvcs.exe or Regasm.exe
  • Network connection telemetry where Regsvcs.exe or Regasm.exe initiates outbound activity

Detection direction

  • Baseline legitimate software installation, deployment, and administrative registration activity to reduce false positives.
  • Look for Regsvcs.exe or Regasm.exe executions involving suspicious, user-writable, temporary, download, or otherwise unusual assembly paths when such context is available.
  • Correlate process execution with subsequent assembly/DLL loads and COM registry writes rather than alerting only on the presence of the utilities.
  • Escalate events where registration activity is followed by unexpected child processes or network connections.
  • Confirm whether endpoint telemetry captures command line, registry writes, and module/assembly loads; gaps in any one of these can make the behavioral chain hard to prove.

Mitigation priorities

  • Ensure endpoint logging and EDR policy capture process creation, command line, registry modification, module load, and network activity for Windows hosts.
  • Restrict unnecessary execution of administrative registration utilities where business workflows allow, using standard application control or endpoint hardening practices.
  • Review software deployment and developer workflows so legitimate Regsvcs.exe and Regasm.exe usage is documented and distinguishable from abnormal use.
  • Harden monitoring around user-writable and temporary paths used as sources for registered assemblies.
  • Prepare IR triage guidance for suspicious COM registration events, including collection of the assembly, command line, registry changes, parent process, and any follow-on child process or network evidence.
Analyst notes and limits

The supplied object is a detection analytic, not a technique description, and it provides a useful behavioral chain but no formal detection logic, tactics, mitigations, or relationships. The strongest defensive use is to convert the chain into local validation tests and SOC correlation requirements for Windows endpoint telemetry.

No official detection text, tactics, relationships, aliases, or labels were supplied. This take does not infer attribution, active exploitation, impact, or coverage. Local baselines are required to separate legitimate COM/.NET registration from suspicious behavior.

Official MITRE ATT&CK definition

Analytic 1028

Abuse of Regsvcs.exe or Regasm.exe to execute arbitrary code embedded in .NET assemblies via [ComRegisterFunction]/[ComUnregisterFunction]. Behavioral chain: (1) Process creation of regsvcs/regasm with suspicious assembly paths/flags → (2) Assembly/DLL load inside regsvcs/regasm → (3) Registry writes to HKCR\CLSID/ProgID during COM registration → (4) Optional child process or network activity spawned by installer/registration code.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
044d034dc58f19c9...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 044d034dc58f…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1028
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use