Registry Entries For Azorult Malware
Detects the presence of a registry key created during Azorult execution
Sigma rule (View on GitHub)
1title: Registry Entries For Azorult Malware
2id: f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7
3status: test
4description: Detects the presence of a registry key created during Azorult execution
5references:
6 - https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojan.win32.azoruit.a
7author: Trent Liffick
8date: 2020-05-08
9modified: 2021-11-27
10tags:
11 - attack.persistence
12 - attack.execution
13 - attack.t1112
14logsource:
15 product: windows
16 category: registry_event
17detection:
18 selection:
19 EventID:
20 - 12
21 - 13
22 TargetObject|contains: 'SYSTEM\'
23 TargetObject|endswith: '\services\localNETService'
24 condition: selection
25fields:
26 - Image
27 - TargetObject
28 - TargetDetails
29falsepositives:
30 - Unknown
31level: critical
References
-
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Read More
Related rules
- Blue Mockingbird - Registry
- Remote Access Tool Services Have Been Installed - System
- Kapeka Backdoor Scheduled Task Creation
- Tasks Folder Evasion
- Suspicious Autorun Registry Modified via WMI