Leviathan Registry Key Activity
Detects registry key used by Leviathan APT in Malaysian focused campaign
Sigma rule (View on GitHub)
1title: Leviathan Registry Key Activity
2id: 70d43542-cd2d-483c-8f30-f16b436fd7db
3status: test
4description: Detects registry key used by Leviathan APT in Malaysian focused campaign
5references:
6 - https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign
7author: Aidan Bracher
8date: 2020-07-07
9modified: 2023-09-19
10tags:
11 - attack.privilege-escalation
12 - attack.persistence
13 - attack.t1547.001
14 - detection.emerging-threats
15logsource:
16 category: registry_event
17 product: windows
18detection:
19 selection:
20 TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\Run\ntkd'
21 condition: selection
22level: critical
References
-
Our Elastic Security research team has focused on advanced techniques used in a Malaysian-focused APT campaign. Learn who’s behind it, how the attack works, observed MITRE attack® techniques, and indicators of compromise.
Read More
Related rules
- Forest Blizzard APT - Custom Protocol Handler Creation
- Forest Blizzard APT - Custom Protocol Handler DLL Registry Set
- Kapeka Backdoor Autorun Persistence
- Potential KamiKakaBot Activity - Winlogon Shell Persistence
- Potential Ryuk Ransomware Activity