Registry Entries For Azorult Malware
Detects the presence of a registry key created during Azorult execution
Sigma rule (View on GitHub)
1title: Registry Entries For Azorult Malware
2id: f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7
3status: test
4description: Detects the presence of a registry key created during Azorult execution
5references:
6 - https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojan.win32.azoruit.a
7author: Trent Liffick
8date: 2020/05/08
9modified: 2021/11/27
10tags:
11 - attack.execution
12 - attack.t1112
13logsource:
14 product: windows
15 category: registry_event
16detection:
17 selection:
18 EventID:
19 - 12
20 - 13
21 TargetObject|contains: 'SYSTEM\'
22 TargetObject|endswith: '\services\localNETService'
23 condition: selection
24fields:
25 - Image
26 - TargetObject
27 - TargetDetails
28falsepositives:
29 - Unknown
30level: critical
References
Related rules
- CMSTP Execution Registry Event
- Disable Security Events Logging Adding Reg Key MiniNt
- RedMimicry Winnti Playbook Registry Manipulation
- Wdigest CredGuard Registry Modification
- File Was Not Allowed To Run