DLL Injection by Regasm activity

Rule added on 30th May, 2024

Rule type:

Correlation

Rule description:

DLL injection is a common technique used by both legitimate software and attackers to inject and execute malicious codes in the virtual address space of another process by forcing it to load a dynamic-link library. This is achieved by Windows command line tools like Regasm.exe, which is used to register .NET Component Object Model (COM) assemblies.

Attackers may exploit this by performing DLL injection with a malicious code in the processes where Regasem.exe has permissions.

Attack chain scenario: Exploitation of vulnerabilities in explore.exe -> Regasm-based DLL injection -> Malicious code execution -> Data theft

Impact:

It can impact the organizations in the following ways:

• Credential theft
• Privilege escalation
• Network breach

Data source:

Windows > Process Creation

Required configuration: The rule is based on the process creation and termination. Prerequisites required are installing and configuring Sysmon, enabling audit process creation audit policy, and the command line auditing.

Relevant MITRE ATT&CK techniques and tactics:

Tactic: TA0005- Defense Evasion

Technique: T1218- System Binary Proxy Execution

Sub Techniques: T1218.009- Regsvcs/Regasm

Criteria:

Criteria: ( ( Parent Process Name ends with "regasm.exe" ) OR ( Parent Process Name ends with "regsvcs.exe" ) OR ( Process Name ends with "regasm.exe" ) OR ( Process Name ends with "regsvcs.exe" ) ) AND ( ( Command Line contains ".dll" ) )

- Attackers may use regasm.exe or regsvcs.exe to install malwares, create backdoors, evade defense evasion mechanisms, and more.

.dll - Attackers create a malicious .dll file and register it through Regasm.exe

When to enable this rule:

Enabling this rule will help you meet the security standard's requirement listed below:

Security standards (NIST CSF 2.0):

DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events

When this rule is triggered, you're notified when a potential attempt to export a registry hive which may contain credentials using the Windows reg.exe tool has occurred.This enables you to review access and permissions, take corrective actions, and monitor the use of reg.exe.

Known false positives: This event may be generated when administrators use it for administrative purposes, such as while performing legitimate manual backups.

Next steps:

When this alert is triggered, the following measures can be implemented:

• Identification: Identify if the alert is a new incident or part of an existing incident.
• Analysis: Analyze the impact and extent of the compromise to comprehend the severity of the attack.
• Response: Respond promptly by initiating an automated workflow to cease the malicious process.
• Deploy access controls: Implement access controls and permissions to restrict the execution of reg.exe by unauthorized users.