Pandemic Registry Key
Detects Pandemic Windows Implant
Sigma rule (View on GitHub)
1title: Pandemic Registry Key
2id: 47e0852a-cf81-4494-a8e6-31864f8c86ed
3status: test
4description: Detects Pandemic Windows Implant
5references:
6 - https://wikileaks.org/vault7/#Pandemic
7 - https://twitter.com/MalwareJake/status/870349480356454401
8author: Florian Roth (Nextron Systems)
9date: 2017-06-01
10modified: 2022-10-09
11tags:
12 - attack.command-and-control
13 - attack.t1105
14 - detection.emerging-threats
15logsource:
16 category: registry_event
17 product: windows
18detection:
19 selection:
20 TargetObject|contains: '\SYSTEM\CurrentControlSet\services\null\Instance'
21 condition: selection
22falsepositives:
23 - Unknown
24level: critical
References
-
Today, June 15th 2017, WikiLeaks publishes documents from the CherryBlossom project of the CIA that was developed and implemented with the help of the US nonprofit Stanford Research Institute (SRI ...
Read More -
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More
Related rules
- DarkGate - Autoit3.EXE File Creation By Uncommon Process
- Suspicious CertReq Command to Download
- Equation Group C2 Communication
- Kalambur Backdoor Curl TOR SOCKS Proxy Execution
- Remote Access Tool - TacticalRMM Agent Registration to Potentially Attacker-Controlled Server