Forest Blizzard APT - Custom Protocol Handler DLL Registry Set

Detects the setting of the DLL that handles the custom protocol handler. Seen being created by Forest Blizzard APT as reported by MSFT.

Sigma rule (View on GitHub)

 1title: Forest Blizzard APT - Custom Protocol Handler DLL Registry Set
 2id: d807056b-0e00-4cec-b7f8-b8b7518e382b
 3status: experimental
 4description: |
 5    Detects the setting of the DLL that handles the custom protocol handler.
 6    Seen being created by Forest Blizzard APT as reported by MSFT.    
 7references:
 8    - https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
 9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2024-04-23
11tags:
12    - attack.persistence
13    - attack.t1547.001
14logsource:
15    category: registry_set
16    product: windows
17detection:
18    selection:
19        TargetObject|contains: '\CLSID\{026CC6D7-34B2-33D5-B551-CA31EB6CE345}\Server'
20        Details|endswith: '.dll'
21    condition: selection
22falsepositives:
23    - Unlikely
24level: high

References

Related rules

to-top