.. /Regsvcs.exe
Star

Execute (DLL, Custom Format)

AWL bypass (DLL, Custom Format)

Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies

Paths:

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Resources:

Acknowledgements:

Casey Smith (@subtee)

Detections:

Execute

Loads the target .DLL file and executes the RegisterClass function.
```
regsvcs.exe AllTheThingsx64.dll
```
Use case
Execute dll file and bypass Application whitelisting

Privileges required
User

Operating systems
Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11

ATT&CK® technique
T1218.009
Tags
Execute: DLL
This LOLBAS executes Dynamic-Link Libraries (DLLs).
Input: Custom Format
This LOLBAS expects the input file to follow a set structure; check the description and linked resources for more details.

AWL bypass

Loads the target .DLL file and executes the RegisterClass function.
```
regsvcs.exe AllTheThingsx64.dll
```
Use case
Execute dll file and bypass Application whitelisting

Privileges required
Local Admin

Operating systems
Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11

ATT&CK® technique
T1218.009
Tags
Execute: DLL
This LOLBAS executes Dynamic-Link Libraries (DLLs).
Input: Custom Format
This LOLBAS expects the input file to follow a set structure; check the description and linked resources for more details.