RedMimicry Winnti Playbook Registry Manipulation
Detects actions caused by the RedMimicry Winnti playbook
Sigma rule (View on GitHub)
1title: RedMimicry Winnti Playbook Registry Manipulation
2id: 5b175490-b652-4b02-b1de-5b5b4083c5f8
3status: test
4description: Detects actions caused by the RedMimicry Winnti playbook
5references:
6 - https://redmimicry.com
7author: Alexander Rausch
8date: 2020-06-24
9modified: 2021-11-27
10tags:
11 - attack.persistence
12 - attack.defense-evasion
13 - attack.t1112
14logsource:
15 product: windows
16 category: registry_event
17detection:
18 selection:
19 TargetObject|contains: HKLM\SOFTWARE\Microsoft\HTMLHelp\data
20 condition: selection
21falsepositives:
22 - Unknown
23level: high
References
-
RedMimicry is a Breach and Attack Emulation software for the comprehensive emulation of realistic cyber attacks. Different from attack simulation, or software emulates realistic threat actors to test cyber defense systems and processes.
Read More
Related rules
- Activate Suppression of Windows Security Center Notifications
- Add DisallowRun Execution to Registry
- Allow RDP Remote Assistance Feature
- Blackbyte Ransomware Registry
- Blue Mockingbird