Forest Blizzard APT - Custom Protocol Handler DLL Registry Set
Detects the setting of the DLL that handles the custom protocol handler. Seen being created by Forest Blizzard APT as reported by MSFT.
Sigma rule (View on GitHub)
1title: Forest Blizzard APT - Custom Protocol Handler DLL Registry Set
2id: d807056b-0e00-4cec-b7f8-b8b7518e382b
3status: experimental
4description: |
5 Detects the setting of the DLL that handles the custom protocol handler.
6 Seen being created by Forest Blizzard APT as reported by MSFT.
7references:
8 - https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2024/04/23
11tags:
12 - attack.persistence
13 - attack.t1547.001
14logsource:
15 category: registry_set
16 product: windows
17detection:
18 selection:
19 TargetObject|contains: '\CLSID\{026CC6D7-34B2-33D5-B551-CA31EB6CE345}\Server'
20 Details|endswith: '.dll'
21 condition: selection
22falsepositives:
23 - Unlikely
24level: high
References
Related rules
- Forest Blizzard APT - Custom Protocol Handler Creation
- New RUN Key Pointing to Suspicious Folder
- PowerShell Startup Folder Persistence
- Potential KamiKakaBot Activity - Winlogon Shell Persistence
- File Creation In Suspicious Directory By Msdt.EXE