Small Sieve Malware Registry Persistence

Detects registry value with specific intentional typo and strings seen used by the Small Sieve malware

Sigma rule (View on GitHub)

 1title: Small Sieve Malware Registry Persistence
 2id: 65c6e3c1-fb28-4c03-a51e-84919d8185f1
 3status: test
 4description: Detects registry value with specific intentional typo and strings seen used by the Small Sieve malware
 5references:
 6    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023/05/19
 9modified: 2023/08/17
10tags:
11    - attack.persistence
12    - detection.emerging_threats
13logsource:
14    category: registry_set
15    product: windows
16detection:
17    selection_path:
18        TargetObject|contains: '\Microsoft\Windows\CurrentVersion\Run\'
19    selection_value:
20        - TargetObject|contains: 'Microsift'
21        - Details|contains: '.exe Platypus'
22    condition: all of selection_*
23falsepositives:
24    - Unlikely
25level: high

References

Related rules

to-top