Pandemic Registry Key

 1title: Pandemic Registry Key
 2id: 47e0852a-cf81-4494-a8e6-31864f8c86ed
 3status: test
 4description: Detects Pandemic Windows Implant
 5references:
 6    - https://wikileaks.org/vault7/#Pandemic
 7    - https://twitter.com/MalwareJake/status/870349480356454401
 8author: Florian Roth (Nextron Systems)
 9date: 2017-06-01
10modified: 2022-10-09
11tags:
12    - attack.command-and-control
13    - attack.t1105
14logsource:
15    category: registry_event
16    product: windows
17detection:
18    selection:
19        TargetObject|contains: '\SYSTEM\CurrentControlSet\services\null\Instance'
20    condition: selection
21falsepositives:
22    - Unknown
23level: critical

References

• WikiLeaks - Vault 7: Projects

  Today, June 15th 2017, WikiLeaks publishes documents from the CherryBlossom project of the CIA that was developed and implemented with the help of the US nonprofit Stanford Research Institute (SRI ...

  
  Read More

• x.com

  
  Read More

Related rules

• AppX Package Installation Attempts Via AppInstaller.EXE
• Arbitrary File Download Via GfxDownloadWrapper.EXE
• Browser Execution In Headless Mode
• Cisco Stage Data
• Command Line Execution with Suspicious URL and AppData Strings