Forest Blizzard APT - Custom Protocol Handler DLL Registry Set
Detects the setting of the DLL that handles the custom protocol handler. Seen being created by Forest Blizzard APT as reported by MSFT.
Sigma rule (View on GitHub)
1title: Forest Blizzard APT - Custom Protocol Handler DLL Registry Set
2id: d807056b-0e00-4cec-b7f8-b8b7518e382b
3status: experimental
4description: |
5 Detects the setting of the DLL that handles the custom protocol handler.
6 Seen being created by Forest Blizzard APT as reported by MSFT.
7references:
8 - https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2024-04-23
11tags:
12 - attack.persistence
13 - attack.t1547.001
14logsource:
15 category: registry_set
16 product: windows
17detection:
18 selection:
19 TargetObject|contains: '\CLSID\{026CC6D7-34B2-33D5-B551-CA31EB6CE345}\Server'
20 Details|endswith: '.dll'
21 condition: selection
22falsepositives:
23 - Unlikely
24level: high
References
Related rules
- Classes Autorun Keys Modification
- Common Autorun Keys Modification
- CurrentControlSet Autorun Keys Modification
- CurrentVersion Autorun Keys Modification
- CurrentVersion NT Autorun Keys Modification