Suspicious Reg Add Open Command
Threat actors performed dumping of SAM, SECURITY and SYSTEM registry hives using DelegateExecute key
Sigma rule (View on GitHub)
1title: Suspicious Reg Add Open Command
2id: dd3ee8cc-f751-41c9-ba53-5a32ed47e563
3status: test
4description: Threat actors performed dumping of SAM, SECURITY and SYSTEM registry hives using DelegateExecute key
5references:
6 - https://thedfirreport.com/2021/12/13/diavol-ransomware/
7author: frack113
8date: 2021/12/20
9modified: 2022/12/25
10tags:
11 - attack.credential_access
12 - attack.t1003
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_1:
18 CommandLine|contains|all:
19 - 'reg'
20 - 'add'
21 - 'hkcu\software\classes\ms-settings\shell\open\command'
22 - '/ve '
23 - '/d'
24 selection_2:
25 CommandLine|contains|all:
26 - 'reg'
27 - 'add'
28 - 'hkcu\software\classes\ms-settings\shell\open\command'
29 - '/v'
30 - 'DelegateExecute'
31 selection_3:
32 CommandLine|contains|all:
33 - 'reg'
34 - 'delete'
35 - 'hkcu\software\classes\ms-settings'
36 condition: 1 of selection_*
37falsepositives:
38 - Unknown
39level: medium
References
-
In this report, we observed threat actors deploy multiple Cobalt Strike DLL beacons, perform internal discovery using Windows utilities, execute lateral movement using AnyDesk and RDP, dump credentials multiple ways, exfiltrate data and deploy domain wide ransomware in as little as 42 hours from initial access.
Read More
Related rules
- Esentutl Gather Credentials
- Linux Keylogging with Pam.d
- Mimikatz Command Line With Ticket Export
- NTDSutil Pulling of NTDS.dit File
- WCE wceaux.dll Access