T1218.009: Regsvcs/Regasm

Regsvcs/Regasm matters because normal Microsoft-signed Windows utilities can be used as the visible process while attacker-controlled .NET registration or unregistration code runs behind them. For leaders, the risk is not the tools themselves being rare or malicious; it is that trusted administrative binaries can create gaps in application control and SOC triage if monitoring only asks whether the executable is signed by Microsoft.

Executive priority

Prioritize this as a Windows stealth and control-validation issue. Ask whether application control, endpoint logging, and incident response playbooks distinguish legitimate .NET COM assembly registration from suspicious use of Regsvcs.exe or Regasm.exe. This is especially relevant for audit evidence around execution prevention: a policy that allows all signed Microsoft binaries may not be enough if it does not account for system binary proxy execution.

Technical view

This is ATT&CK T1218.009, a Windows sub-technique of System Binary Proxy Execution. SOC and detection teams should validate coverage for Regsvcs.exe and Regasm.exe execution, including command line, parent process, target assembly path, user context, process lineage, and any follow-on child processes or file activity. Because MITRE provides no official detection text for this object, use the related detection strategy DET0361 as the ATT&CK-linked starting point and tune it against known administrative or developer workflows. IR teams should treat suspicious Regsvcs/Regasm activity as possible proxy execution of .NET COM registration code rather than assuming the Microsoft-signed utility is benign.

Likely telemetry

Windows process creation events for Regsvcs.exe and Regasm.exe
Full command-line arguments and target assembly paths
Parent and child process relationships around the utility execution
File creation or modification involving .NET assemblies used during registration activity
Application control or execution prevention logs for allowed or blocked Regsvcs/Regasm activity

Detection direction

Baseline legitimate Regsvcs.exe and Regasm.exe usage on Windows systems, especially developer, build, and administration hosts, before treating all executions as suspicious.
Alert on unusual parent processes, unexpected user contexts, uncommon assembly locations, or executions outside known software installation and administration workflows.
Do not rely on Microsoft digital signature alone as a benign indicator; this technique exists because trusted binaries can proxy code execution.
Correlate detections with the parent technique T1218 System Binary Proxy Execution and the related DET0361 detection strategy.
Expect false positives where .NET COM assemblies are legitimately registered; tune with environment-specific allow lists and change-management context.

Mitigation priorities

Start with execution prevention controls such as application control policies that account for how Regsvcs.exe and Regasm.exe are permitted to run, not merely whether they are signed.
Restrict or monitor use of these utilities to systems and roles that have a legitimate operational need.
Disable or remove unnecessary features, software, or workflows that require these utilities where business operations allow.
Maintain audit-ready evidence that execution prevention policies were tested against trusted-binary proxy execution scenarios, including Regsvcs/Regasm behavior.
Pair prevention with monitoring because the ATT&CK object notes code may run even when registration or unregistration lacks sufficient privileges and fails.

Analyst notes and limits

The relationship set links this technique to mitigation M1038 Execution Prevention, mitigation M1042 Disable or Remove Feature or Program, detection strategy DET0361, parent technique T1218, and software S0331 Agent Tesla. The Agent Tesla relationship means ATT&CK records that software as using this technique; it should not be interpreted by itself as evidence of current activity in any specific environment.

MITRE does not provide official detection text for this object in the supplied fields. Local validation is required to determine normal Regsvcs/Regasm usage, available telemetry, and whether execution prevention policies actually constrain this behavior without disrupting legitimate .NET COM registration workflows.

Official MITRE ATT&CK definition

Regsvcs/Regasm

Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies. Both are binaries that may be digitally signed by Microsoft. [1] [2]

Both utilities may be used to bypass application control through use of attributes within the binary to specify code that should be run before registration or unregistration: [ComRegisterFunction] or [ComUnregisterFunction] respectively. The code with the registration and unregistration attributes will be executed even if the process is run under insufficient privileges and fails to execute. [3][4]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 2 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1121	Regsvcs/Regasm	Regsvcs/Regasm revoked by this object.
Enterprise	T1218	System Binary Proxy Execution	This object subtechnique of System Binary Proxy Execution.

Associated objects

Groups, software, and campaigns

S0331: Agent Tesla

Agent Tesla is a spyware Trojan written for the .NET framework that has been observed since at least 2014.[1][2][3]

Windows

Relationship explorer

All related ATT&CK context

detects · Detection Strategy DET0361: Detecting .NET COM Registration Abuse via Regsvcs/Regasm Enterprise mitigates · Mitigation M1038: Execution Prevention Enterprise uses · Malware S0331: Agent Tesla Enterprise revoked by · Technique T1121: Regsvcs/Regasm Enterprise subtechnique of · Technique T1218: System Binary Proxy Execution Enterprise mitigates · Mitigation M1042: Disable or Remove Feature or Program Enterprise

Mitigations

Mitigation direction

M1038: Execution Prevention

Prevent the execution of unauthorized or malicious code on systems by implementing application control, script blocking, and other execution prevention mechanisms. This ensures that only trusted and authorized code is executed, reducing the risk of malware and unauthorized actions. This mitigation can be implemented through the following measures:

Application Control:

- Use Case: Use tools like AppLocker or Windows Defender Application Control (WDAC) to create whitelists of authorized applications and block unauthorized ones. On Linux, use tools like SELinux or AppArmor to define mandatory access control policies for application execution. - Implementation: Allow only digitally signed or pre-approved applications to execute on servers and endpoints. (e.g., `New-AppLockerPolicy -PolicyType Enforced -FilePath "C:\Policies\AppLocker.xml"`)

Script Blocking:

- Use Case: Use script control mechanisms to block unauthorized execution of scripts, such as PowerShell or JavaScript. Web Browsers: Use browser extensions or settings to block JavaScript execution from untrusted sources. - Implementation: Configure PowerShell to enforce Constrained Language Mode for non-administrator users. (e.g., `Set-ExecutionPolicy AllSigned`)

Executable Blocking:

- Use Case: Prevent execution of binaries from suspicious locations, such as `%TEMP%` or `%APPDATA%` directories. - Implementation: Block execution of `.exe`, `.bat`, or `.ps1` files from user-writable directories.

Dynamic Analysis Prevention: - Use Case: Use behavior-based execution prevention tools to identify and block malicious activity in real time. - Implemenation: Employ EDR solutions that analyze runtime behavior and block suspicious code execution.

M1042: Disable or Remove Feature or Program

Disable or remove unnecessary and potentially vulnerable software, features, or services to reduce the attack surface and prevent abuse by adversaries. This involves identifying software or features that are no longer needed or that could be exploited and ensuring they are either removed or properly disabled. This mitigation can be implemented through the following measures:

Remove Legacy Software:

- Use Case: Disable or remove older versions of software that no longer receive updates or security patches (e.g., legacy Java, Adobe Flash). - Implementation: A company removes Flash Player from all employee systems after it has reached its end-of-life date.

Disable Unused Features:

- Use Case: Turn off unnecessary operating system features like SMBv1, Telnet, or RDP if they are not required. - Implementation: Disable SMBv1 in a Windows environment to mitigate vulnerabilities like EternalBlue.

Control Applications Installed by Users:

- Use Case: Prevent users from installing unauthorized software via group policies or other management tools. - Implementation: Block user installations of unauthorized file-sharing applications (e.g., BitTorrent clients) in an enterprise environment.

Remove Unnecessary Services:

- Use Case: Identify and disable unnecessary default services running on endpoints, servers, or network devices. - Implementation: Disable unused administrative shares (e.g., C$, ADMIN$) on workstations.

Restrict Add-ons and Plugins:

- Use Case: Remove or disable browser plugins and add-ons that are not needed for business purposes. - Implementation: Disable Java and ActiveX plugins in web browsers to prevent drive-by attacks.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 3.0
Created: Jan 23, 2020, 19:42 UTC (UTC+00:00)
Modified: May 12, 2026, 15:12 UTC (UTC+00:00)
Raw hash: 081afbf50680f7d6...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	3.0	May 12, 2026, 15:12 UTC (UTC+00:00)	Current bundle	`081afbf50680…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
MSDN Regsvcs

Microsoft. (n.d.). Regsvcs.exe (.NET Services Installation Tool). Retrieved July 1, 2016.
Open source URL
[2]
MSDN Regasm

Microsoft. (n.d.). Regasm.exe (Assembly Registration Tool). Retrieved July 1, 2016.
Open source URL
[3]
LOLBAS Regsvcs

LOLBAS. (n.d.). Regsvcs.exe. Retrieved July 31, 2019.
Open source URL
[4]
LOLBAS Regasm

LOLBAS. (n.d.). Regasm.exe. Retrieved July 31, 2019.
Open source URL
[5]
mitre-attack T1218.009
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams