Solarmarker File Extension Registry Key Set

calendar Nov 9, 2022 · attack.defense_evasion attack.t1202  ·
Share on: linkedin copy

Detects creation of suspicious file extension registry key. This extension is then registered with a custom file type (see Detail component of detection below) with a malicious powershell payload specified.

Sigma rule (View on GitHub)

 1title: Solarmarker File Extension Registry Key Set
 2id: 57c4dca5-51cd-4cff-b835-d7eebe8e92f6
 3related:
 4    - id: 7530b96f-ad8e-431d-a04d-ac85cc461fdc
 5      type: similar
 6status: experimental
 7description: Detects creation of suspicious file extension registry key. This extension is then registered with a custom file type (see Detail component of detection below) with a malicious powershell payload specified.
 8references:
 9    - https://news.sophos.com/en-us/2022/02/01/solarmarker-campaign-used-novel-registry-changes-to-establish-persistence/
10    - https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-solarmarker
11    - https://www.elastic.co/security-labs/going-coast-to-coast-climbing-the-pyramid-with-the-deimos-implant
12author: Micah Babinski
13date: 2022/11/09
14tags:
15    - attack.defense_evasion
16    - attack.t1202
17logsource:
18    category: registry_set
19    product: windows
20detection:
21    selection:
22        Image|endswith: '\powershell.exe'
23        EventType: 'SetValue'
24        TargetObject|re: '^.*\\.([a-zA-Z]){13,18}$'
25        Detail|re: '^.*([a-z]){18,22}$'
26    condition: selection
27falsepositives:
28    - Unknown
29level: high```

References

Related rules

to-top