Potential Winnti Dropper Activity
Detects files dropped by Winnti as described in RedMimicry Winnti playbook
Sigma rule (View on GitHub)
1title: Potential Winnti Dropper Activity
2id: 130c9e58-28ac-4f83-8574-0a4cc913b97e
3status: test
4description: Detects files dropped by Winnti as described in RedMimicry Winnti playbook
5references:
6 - https://redmimicry.com/posts/redmimicry-winnti/#dropper
7author: Alexander Rausch
8date: 2020/06/24
9modified: 2023/01/05
10tags:
11 - attack.defense_evasion
12 - attack.t1027
13logsource:
14 product: windows
15 category: file_event
16detection:
17 selection:
18 TargetFilename|endswith:
19 - '\gthread-3.6.dll'
20 - '\sigcmm-2.4.dll'
21 - '\Windows\Temp\tmp.bat'
22 condition: selection
23falsepositives:
24 - Unknown
25level: high
References
-
The RedMimicry Platform Prototype This post describes an early RedMimicry prototype and does not reflect the current state of the product. The RedMimicry platform prototype is built in a modular way in order to provide a good framework for the implementation of emulation profiles. Emulation profiles can be divided into the following components: payload delivery and staging command & control traffic encoding automated breach emulation script This RedMimicry release aims to emulate the behavior of the Winnti malware from around 2015.
Read More
Related rules
- Decode Base64 Encoded Text
- ISO, VHD, LNK or IMG File Extracted from Zip (Sysmon)
- Web Browser Creates Zip Archive File (Sysmon)
- Suspicious Use of Rcedit Utility to Alter Executable Metadata
- Decode Base64 Encoded Text -MacOs