NetWire

 1title: NetWire
 2status: experimental
 3description: NetWire auto-start registry entry
 4author: Joe Security
 5date: 2019-10-29
 6id: 200015
 7threatname: NetWire
 8behaviorgroup: 14,20,21,22
 9classification: 4
10mitreattack:
11
12logsource:
13    product: windows
14    service: sysmon
15detection:
16    selection:
17        EventID: 13
18        TargetObject:
19            - '*\Microsoft\Windows\CurrentVersion\Run*NetWire*'
20        Details:
21            - '*\AppData\Roaming\\*'
22    selection1:
23        EventID: 13
24        TargetObject:
25            - '*HKEY_CURRENT_USER\Software\NetWire*HostId*'
26    condition: selection or selection1
27level: critical