# Regsvcs/Regasm

Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies. Both are digitally signed by Microsoft.

Both utilities may be used to bypass application control through use of attributes within the binary to specify code that should be run before registration or unregistration:

\[ComRegisterFunction] or \[ComUnregisterFunction] respectively. The code with the registration and unregistration attributes will be executed even if the process is run under insufficient privileges and fails to execute.

**I used the following instruction to make this payload work**

<https://gist.githubusercontent.com/Arno0x/71ea3afb412ec1a5490c657e58449182/raw/b7226931b70eb04bc5efee51b4f2df0b6fe3c483/regasm.cs>

After compiling and configuring the proper steps to create my payload and have it execute text in console

![](/files/-MRkYmXoqZM4v8Jr5TP_)

References:

<https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/>

<https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/>

<https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1121/T1121.md>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/defense-evasion/t1218-signed-binary-proxy-execution/untitled-3.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.