SNAKE Malware Covert Store Registry Key

calendar Aug 12, 2024 · attack.persistence detection.emerging-threats  ·
Share on: linkedin copy

Detects any registry event that targets the key 'SECURITY\Policy\Secrets\n' which is a key related to SNAKE malware as described by CISA

Sigma rule (View on GitHub)

 1title: SNAKE Malware Covert Store Registry Key
 2id: d0fa35db-0e92-400e-aa16-d32ae2521618
 3status: test
 4description: Detects any registry event that targets the key 'SECURITY\Policy\Secrets\n' which is a key related to SNAKE malware as described by CISA
 5references:
 6    - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023-05-11
 9tags:
10    - attack.persistence
11    - detection.emerging-threats
12logsource:
13    category: registry_event
14    product: windows
15detection:
16    selection:
17        TargetObject|endswith: 'SECURITY\Policy\Secrets\n'
18    condition: selection
19level: high

References

  • ÈÌ)-_0±çº~˜! Ø s(,2QPƉhÜÇÏ3¶|ˆ–}Iøç¹&·œÚÛ;†›„'ΕT H®2c•üä…Ò_åjÈhõ£WCcâ3 Lîý2OjÄp(š»AÙÞɳ¨¤ÂïíûË7>g‰²� ß&�Ã�M-pïA[~§Æ¹ÔÌ ÑùEÀ¼ *\?õEÂD„ĵNšæ°úþ,$ØkÜ…›÷ºz¾%}_ü“0['.Ý& )V:x¹´¼ª¶®aX...


    Read More

Related rules

to-top