HackTool - RedMimicry Winnti Playbook Execution
Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility
Sigma rule (View on GitHub)
1title: HackTool - RedMimicry Winnti Playbook Execution
2id: 95022b85-ff2a-49fa-939a-d7b8f56eeb9b
3status: test
4description: Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility
5references:
6 - https://redmimicry.com/posts/redmimicry-winnti/
7author: Alexander Rausch
8date: 2020/06/24
9modified: 2023/03/01
10tags:
11 - attack.execution
12 - attack.defense_evasion
13 - attack.t1106
14 - attack.t1059.003
15 - attack.t1218.011
16logsource:
17 product: windows
18 category: process_creation
19detection:
20 selection:
21 Image|endswith:
22 - '\rundll32.exe'
23 - '\cmd.exe'
24 CommandLine|contains:
25 - 'gthread-3.6.dll'
26 - '\Windows\Temp\tmp.bat'
27 - 'sigcmm-2.4.dll'
28 condition: selection
29falsepositives:
30 - Unknown
31level: high
References
-
The RedMimicry Platform Prototype This post describes an early RedMimicry prototype and does not reflect the current state of the product. The RedMimicry platform prototype is built in a modular way in order to provide a good framework for the implementation of emulation profiles. Emulation profiles can be divided into the following components: payload delivery and staging command & control traffic encoding automated breach emulation script This RedMimicry release aims to emulate the behavior of the Winnti malware from around 2015.
Read More
Related rules
- Command Shell Obfuscated Commands
- Powershell Obfuscation and Escape Characters
- MpiExec Lolbin
- Suspicious Runscripthelper.exe
- Suspicious ZipExec Execution