Leviathan Registry Key Activity
Detects registry key used by Leviathan APT in Malaysian focused campaign
Sigma rule (View on GitHub)
1title: Leviathan Registry Key Activity
2id: 70d43542-cd2d-483c-8f30-f16b436fd7db
3status: test
4description: Detects registry key used by Leviathan APT in Malaysian focused campaign
5references:
6 - https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign
7author: Aidan Bracher
8date: 2020/07/07
9modified: 2023/09/19
10tags:
11 - attack.persistence
12 - attack.t1547.001
13logsource:
14 category: registry_event
15 product: windows
16detection:
17 selection:
18 TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\Run\ntkd'
19 condition: selection
20level: critical
References
Related rules
- Classes Autorun Keys Modification
- CurrentControlSet Autorun Keys Modification
- Internet Explorer Autorun Keys Modification
- Modify User Shell Folders Startup Value
- Session Manager Autorun Keys Modification