Registry Entries For Azorult Malware
Detects the presence of a registry key created during Azorult execution
Sigma rule (View on GitHub)
1title: Registry Entries For Azorult Malware
2id: f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7
3status: test
4description: Detects the presence of a registry key created during Azorult execution
5references:
6 - https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojan.win32.azoruit.a
7author: Trent Liffick
8date: 2020-05-08
9modified: 2021-11-27
10tags:
11 - attack.defense-evasion
12 - attack.persistence
13 - attack.execution
14 - attack.t1112
15logsource:
16 product: windows
17 category: registry_event
18detection:
19 selection:
20 EventID:
21 - 12
22 - 13
23 TargetObject|contains: 'SYSTEM\'
24 TargetObject|endswith: '\services\localNETService'
25 condition: selection
26fields:
27 - Image
28 - TargetObject
29 - TargetDetails
30falsepositives:
31 - Unknown
32level: critical
References
-
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Read More
Related rules
- Blue Mockingbird
- Blue Mockingbird - Registry
- OilRig APT Activity
- OilRig APT Registry Persistence
- OilRig APT Schedule Task Persistence - Security