Small Sieve Malware Registry Persistence
Detects registry value with specific intentional typo and strings seen used by the Small Sieve malware
Sigma rule (View on GitHub)
1title: Small Sieve Malware Registry Persistence
2id: 65c6e3c1-fb28-4c03-a51e-84919d8185f1
3status: test
4description: Detects registry value with specific intentional typo and strings seen used by the Small Sieve malware
5references:
6 - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023-05-19
9modified: 2023-08-17
10tags:
11 - attack.persistence
12 - detection.emerging-threats
13logsource:
14 category: registry_set
15 product: windows
16detection:
17 selection_path:
18 TargetObject|contains: '\Microsoft\Windows\CurrentVersion\Run\'
19 selection_value:
20 - TargetObject|contains: 'Microsift'
21 - Details|contains: '.exe Platypus'
22 condition: all of selection_*
23falsepositives:
24 - Unlikely
25level: high
References
Related rules
- COLDSTEEL Persistence Service Creation
- COLDSTEEL RAT Anonymous User Process Execution
- COLDSTEEL RAT Cleanup Command Execution
- COLDSTEEL RAT Service Persistence Execution
- CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit