SNAKE Malware Covert Store Registry Key

Aug 12, 2024 · attack.persistence detection.emerging-threats ·

Detects any registry event that targets the key 'SECURITY\Policy\Secrets\n' which is a key related to SNAKE malware as described by CISA

Sigma rule (View on GitHub)

 1title: SNAKE Malware Covert Store Registry Key
 2id: d0fa35db-0e92-400e-aa16-d32ae2521618
 3status: test
 4description: Detects any registry event that targets the key 'SECURITY\Policy\Secrets\n' which is a key related to SNAKE malware as described by CISA
 5references:
 6    - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023-05-11
 9tags:
10    - attack.persistence
11    - detection.emerging-threats
12logsource:
13    category: registry_event
14    product: windows
15detection:
16    selection:
17        TargetObject|endswith: 'SECURITY\Policy\Secrets\n'
18    condition: selection
19level: high

References

https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF

Read More

SNAKE Malware Covert Store Registry Key

Sigma rule (View on GitHub)

References

https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF

Related rules