{
	"id": "8a6bcc87-4ec7-45f5-927b-871eb4ecee5f",
	"created_at": "2026-04-06T02:11:46.778488Z",
	"updated_at": "2026-04-10T03:20:31.504872Z",
	"deleted_at": null,
	"sha1_hash": "238b05114c130d232134cfb0daacef0f29f121ef",
	"title": "Regasm on LOLBAS",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 47828,
	"plain_text": "Regasm on LOLBAS\r\nArchived: 2026-04-06 01:31:56 UTC\r\n.. /Regasm.exe\r\nPart of .NET\r\nPaths:\r\nC:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\regasm.exe\r\nC:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\regasm.exe\r\nC:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe\r\nC:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\regasm.exe\r\nResources:\r\nhttps://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/\r\nhttps://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/\r\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md\r\nAcknowledgements:\r\nCasey Smith (@subtee)\r\nDetections:\r\nSigma: proc_creation_win_lolbin_regasm.yml\r\nElastic: execution_register_server_program_connecting_to_the_internet.toml\r\nSplunk: suspicious_regsvcs_regasm_activity.md\r\nSplunk: detect_regasm_with_network_connection.yml\r\nIOC: regasm.exe executing dll file\r\nAWL bypass\r\n1. Loads the target .NET DLL file and executes the RegisterClass function.\r\nregasm.exe file.dll\r\nUse case\r\nExecute code and bypass Application whitelisting\r\nPrivileges required\r\nhttps://lolbas-project.github.io/lolbas/Binaries/Regasm/\r\nPage 1 of 2\n\nLocal Admin\r\nOperating systems\r\nWindows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11\r\nATT\u0026CK® technique\r\nT1218.009: Regsvcs/Regasm\r\nTags\r\nExecute: DLL (.NET)\r\nExecute\r\n1. Loads the target .DLL file and executes the UnRegisterClass function.\r\nregasm.exe /U file.dll\r\nUse case\r\nExecute code and bypass Application whitelisting\r\nPrivileges required\r\nUser\r\nOperating systems\r\nWindows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11\r\nATT\u0026CK® technique\r\nT1218.009: Regsvcs/Regasm\r\nTags\r\nExecute: DLL (.NET)\r\nSource: https://lolbas-project.github.io/lolbas/Binaries/Regasm/\r\nhttps://lolbas-project.github.io/lolbas/Binaries/Regasm/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://lolbas-project.github.io/lolbas/Binaries/Regasm/"
	],
	"report_names": [
		"Regasm"
	],
	"threat_actors": [],
	"ts_created_at": 1775441506,
	"ts_updated_at": 1775791231,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/238b05114c130d232134cfb0daacef0f29f121ef.pdf",
		"text": "https://archive.orkl.eu/238b05114c130d232134cfb0daacef0f29f121ef.txt",
		"img": "https://archive.orkl.eu/238b05114c130d232134cfb0daacef0f29f121ef.jpg"
	}
}