RedMimicry Winnti Playbook Registry Manipulation
Detects actions caused by the RedMimicry Winnti playbook
Sigma rule (View on GitHub)
1title: RedMimicry Winnti Playbook Registry Manipulation
2id: 5b175490-b652-4b02-b1de-5b5b4083c5f8
3status: test
4description: Detects actions caused by the RedMimicry Winnti playbook
5references:
6 - https://redmimicry.com
7author: Alexander Rausch
8date: 2020-06-24
9modified: 2021-11-27
10tags:
11 - attack.defense-evasion
12 - attack.t1112
13logsource:
14 product: windows
15 category: registry_event
16detection:
17 selection:
18 TargetObject|contains: HKLM\SOFTWARE\Microsoft\HTMLHelp\data
19 condition: selection
20falsepositives:
21 - Unknown
22level: high
References
-
RedMimicry is a Breach and Attack Emulation software for the comprehensive emulation of realistic cyber attacks. Different from attack simulation, or software emulates realistic threat actors to test cyber defense systems and processes.
Read More
Related rules
- Activate Suppression of Windows Security Center Notifications
- Add DisallowRun Execution to Registry
- Allow RDP Remote Assistance Feature
- Blackbyte Ransomware Registry
- CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry