.. /Regasm.exe
Star

AWL bypass (DLL (.NET))

Execute (DLL (.NET))

Part of .NET

Paths:

C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe

Resources:

Acknowledgements:

Casey Smith (@subtee)

Detections:

AWL bypass

Loads the target .Net DLL file and executes the RegisterClass function.
```
regasm.exe AllTheThingsx64.dll
```
Use case
Execute code and bypass Application whitelisting

Privileges required
Local Admin

Operating systems
Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11

ATT&CK® technique
T1218.009
Tags
Execute: DLL (.NET)

Execute

Loads the target .DLL file and executes the UnRegisterClass function.
```
regasm.exe /U AllTheThingsx64.dll
```
Use case
Execute code and bypass Application whitelisting

Privileges required
User

Operating systems
Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11

ATT&CK® technique
T1218.009
Tags
Execute: DLL (.NET)