Registry Entries For Azorult Malware
Detects the presence of a registry key created during Azorult execution
Sigma rule (View on GitHub)
1title: Registry Entries For Azorult Malware
2id: f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7
3status: test
4description: Detects the presence of a registry key created during Azorult execution
5references:
6 - https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojan.win32.azoruit.a
7author: Trent Liffick
8date: 2020-05-08
9modified: 2021-11-27
10tags:
11 - attack.execution
12 - attack.t1112
13logsource:
14 product: windows
15 category: registry_event
16detection:
17 selection:
18 EventID:
19 - 12
20 - 13
21 TargetObject|contains: 'SYSTEM\'
22 TargetObject|endswith: '\services\localNETService'
23 condition: selection
24fields:
25 - Image
26 - TargetObject
27 - TargetDetails
28falsepositives:
29 - Unknown
30level: critical
References
-
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Read More
Related rules
- Blue Mockingbird
- Blue Mockingbird - Registry
- CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry
- Potential Ursnif Malware Activity - Registry
- AADInternals PowerShell Cmdlets Execution - ProccessCreation