Potential Winnti Dropper Activity

Aug 12, 2024 · attack.defense-evasion attack.t1027 ·

Detects files dropped by Winnti as described in RedMimicry Winnti playbook

Sigma rule (View on GitHub)

 1title: Potential Winnti Dropper Activity
 2id: 130c9e58-28ac-4f83-8574-0a4cc913b97e
 3status: test
 4description: Detects files dropped by Winnti as described in RedMimicry Winnti playbook
 5references:
 6    - https://redmimicry.com/posts/redmimicry-winnti/#dropper
 7author: Alexander Rausch
 8date: 2020-06-24
 9modified: 2023-01-05
10tags:
11    - attack.defense-evasion
12    - attack.t1027
13logsource:
14    product: windows
15    category: file_event
16detection:
17    selection:
18        TargetFilename|endswith:
19            - '\gthread-3.6.dll'
20            - '\sigcmm-2.4.dll'
21            - '\Windows\Temp\tmp.bat'
22    condition: selection
23falsepositives:
24    - Unknown
25level: high

References

https://redmimicry.com/posts/redmimicry-winnti/#dropper

Read More

Related rules

Base64 Encoded PowerShell Command Detected
Certificate Exported Via Certutil.EXE
ConvertTo-SecureString Cmdlet Usage Via CommandLine
Decode Base64 Encoded Text
Decode Base64 Encoded Text -MacOs