{
	"id": "ca0dd833-bc33-4681-8128-a880bc424792",
	"created_at": "2026-04-06T01:30:14.505253Z",
	"updated_at": "2026-04-10T13:11:52.418157Z",
	"deleted_at": null,
	"sha1_hash": "a2f9cd43ce11791c498562e38fe08dc550533195",
	"title": "Regsvcs on LOLBAS",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 46735,
	"plain_text": "Regsvcs on LOLBAS\r\nArchived: 2026-04-06 00:23:15 UTC\r\n.. /Regsvcs.exe\r\nRegsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object\r\nModel (COM) assemblies\r\nPaths:\r\nC:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\RegSvcs.exe\r\nC:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\RegSvcs.exe\r\nC:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegSvcs.exe\r\nC:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe\r\nResources:\r\nhttps://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/\r\nhttps://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/\r\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md\r\nAcknowledgements:\r\nCasey Smith (@subtee)\r\nDetections:\r\nSigma: proc_creation_win_lolbin_regasm.yml\r\nElastic: execution_register_server_program_connecting_to_the_internet.toml\r\nSplunk: detect_regsvcs_with_network_connection.yml\r\nExecute\r\n1. Loads the target .NET DLL file and executes the RegisterClass function.\r\nregsvcs.exe file.dll\r\nUse case\r\nExecute dll file and bypass Application whitelisting\r\nPrivileges required\r\nUser\r\nhttps://lolbas-project.github.io/lolbas/Binaries/Regsvcs/\r\nPage 1 of 2\n\nOperating systems\r\nWindows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11\r\nATT\u0026CK® technique\r\nT1218.009: Regsvcs/Regasm\r\nTags\r\nExecute: DLL (.NET)\r\nAWL bypass\r\n1. Loads the target .NET DLL file and executes the RegisterClass function.\r\nregsvcs.exe file.dll\r\nUse case\r\nExecute dll file and bypass Application whitelisting\r\nPrivileges required\r\nLocal Admin\r\nOperating systems\r\nWindows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11\r\nATT\u0026CK® technique\r\nT1218.009: Regsvcs/Regasm\r\nTags\r\nExecute: DLL (.NET)\r\nSource: https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/\r\nhttps://lolbas-project.github.io/lolbas/Binaries/Regsvcs/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/"
	],
	"report_names": [
		"Regsvcs"
	],
	"threat_actors": [],
	"ts_created_at": 1775439014,
	"ts_updated_at": 1775826712,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a2f9cd43ce11791c498562e38fe08dc550533195.pdf",
		"text": "https://archive.orkl.eu/a2f9cd43ce11791c498562e38fe08dc550533195.txt",
		"img": "https://archive.orkl.eu/a2f9cd43ce11791c498562e38fe08dc550533195.jpg"
	}
}