Pandemic Registry Key

 1title: Pandemic Registry Key
 2id: 47e0852a-cf81-4494-a8e6-31864f8c86ed
 3status: test
 4description: Detects Pandemic Windows Implant
 5references:
 6    - https://wikileaks.org/vault7/#Pandemic
 7    - https://twitter.com/MalwareJake/status/870349480356454401
 8author: Florian Roth (Nextron Systems)
 9date: 2017/06/01
10modified: 2022/10/09
11tags:
12    - attack.command_and_control
13    - attack.t1105
14logsource:
15    category: registry_event
16    product: windows
17detection:
18    selection:
19        TargetObject|contains: '\SYSTEM\CurrentControlSet\services\null\Instance'
20    condition: selection
21falsepositives:
22    - Unknown
23level: critical

References

• WikiLeaks - Vault 7: Projects

  Today, June 15th 2017, WikiLeaks publishes documents from the CherryBlossom project of the CIA that was developed and implemented with the help of the US nonprofit Stanford Research Institute (SRI ...

  
  Read More

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

Related rules

• BITSAdmin Downloading Malicious Binaries
• CertUtil Downloading Malicious Binaries
• Certreq Downloading Malicious Binaries
• Replace.exe Usage
• Script Initiated Connection to Non-Local Network