Potential Encrypted Registry Blob Related To SNAKE Malware

Detects the creation of a registry value in the ".wav\OpenWithProgIds" key with an uncommon name. This could be related to SNAKE Malware as reported by CISA

Sigma rule (View on GitHub)

 1title: Potential Encrypted Registry Blob Related To SNAKE Malware
 2id: 7e163e96-b9a5-45d6-b2cd-d7d87b13c60b
 3status: test
 4description: Detects the creation of a registry value in the ".wav\OpenWithProgIds" key with an uncommon name. This could be related to SNAKE Malware as reported by CISA
 5references:
 6    - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023-05-10
 9modified: 2023-08-17
10tags:
11    - attack.persistence
12    - detection.emerging-threats
13logsource:
14    category: registry_set
15    product: windows
16detection:
17    selection:
18        TargetObject|contains: '\SOFTWARE\Classes\.wav\OpenWithProgIds\'
19    filter_main_wav:
20        - TargetObject|endswith: '.AssocFile.WAV'
21        - TargetObject|contains: '.wav.'
22    condition: selection and not 1 of filter_main_*
23falsepositives:
24    - Some additional tuning might be required to tune out legitimate processes that write to this key by default
25level: medium

References

Related rules

to-top