FlowCloud Registry Markers

Detects FlowCloud malware registry markers from threat group TA410. The malware stores its configuration in the registry alongside drivers utilized by the malware's keylogger components.

Sigma rule (View on GitHub)

 1title: FlowCloud Registry Markers
 2id: 5118765f-6657-4ddb-a487-d7bd673abbf1
 3status: test
 4description: |
 5    Detects FlowCloud malware registry markers from threat group TA410.
 6    The malware stores its configuration in the registry alongside drivers utilized by the malware's keylogger components.    
 7references:
 8    - https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new
 9author: NVISO
10date: 2020-06-09
11modified: 2024-03-20
12tags:
13    - attack.persistence
14    - attack.t1112
15logsource:
16    product: windows
17    category: registry_event
18detection:
19    selection:
20        TargetObject|contains:
21            - '\HARDWARE\{2DB80286-1784-48b5-A751-B6ED1F490303}'
22            - '\HARDWARE\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}'
23            - '\HARDWARE\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}'
24            - '\SYSTEM\Setup\PrintResponsor\'
25    condition: selection
26falsepositives:
27    - Unlikely
28level: critical

References

Related rules

to-top