Solarmarker File Extension Registry Key Set
Detects creation of suspicious file extension registry key. This extension is then registered with a custom file type (see Detail component of detection below) with a malicious powershell payload specified.
Sigma rule (View on GitHub)
1title: Solarmarker File Extension Registry Key Set
2id: 57c4dca5-51cd-4cff-b835-d7eebe8e92f6
3related:
4 - id: 7530b96f-ad8e-431d-a04d-ac85cc461fdc
5 type: similar
6status: experimental
7description: Detects creation of suspicious file extension registry key. This extension is then registered with a custom file type (see Detail component of detection below) with a malicious powershell payload specified.
8references:
9 - https://news.sophos.com/en-us/2022/02/01/solarmarker-campaign-used-novel-registry-changes-to-establish-persistence/
10 - https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-solarmarker
11 - https://www.elastic.co/security-labs/going-coast-to-coast-climbing-the-pyramid-with-the-deimos-implant
12author: Micah Babinski
13date: 2022/11/09
14tags:
15 - attack.defense_evasion
16 - attack.t1202
17logsource:
18 category: registry_set
19 product: windows
20detection:
21 selection:
22 Image|endswith: '\powershell.exe'
23 EventType: 'SetValue'
24 TargetObject|re: '^.*\\.([a-zA-Z]){13,18}$'
25 Detail|re: '^.*([a-z]){18,22}$'
26 condition: selection
27falsepositives:
28 - Unknown
29level: high```
References
-
Inserting custom file handling rules for a randomly-created file extension and a .LNK in Windows’ startup folder, malware installer created a stealthy persistence mechanism for backdoor.
Read More -
Since first emerging in 2020, SolarMarker (aka: Jupyter, Polazert, Yellow Cockatoo) remains one of the most successful malware campaigns, relying heavily…
Read More -
The Deimos implant was first reported in 2020 and has been in active development; employing advanced analysis countermeasures to frustrate analysis. This post details the campaign TTPs through the malware indicators.
Read More