HackTool - RedMimicry Winnti Playbook Execution

calendar Aug 12, 2024 · attack.execution attack.defense-evasion attack.t1106 attack.t1059.003 attack.t1218.011  ·
Share on: linkedin copy

Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility

Sigma rule (View on GitHub)

 1title: HackTool - RedMimicry Winnti Playbook Execution
 2id: 95022b85-ff2a-49fa-939a-d7b8f56eeb9b
 3status: test
 4description: Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility
 5references:
 6    - https://redmimicry.com/posts/redmimicry-winnti/
 7author: Alexander Rausch
 8date: 2020-06-24
 9modified: 2023-03-01
10tags:
11    - attack.execution
12    - attack.defense-evasion
13    - attack.t1106
14    - attack.t1059.003
15    - attack.t1218.011
16logsource:
17    product: windows
18    category: process_creation
19detection:
20    selection:
21        Image|endswith:
22            - '\rundll32.exe'
23            - '\cmd.exe'
24        CommandLine|contains:
25            - 'gthread-3.6.dll'
26            - '\Windows\Temp\tmp.bat'
27            - 'sigcmm-2.4.dll'
28    condition: selection
29falsepositives:
30    - Unknown
31level: high

References

Related rules

to-top