RedMimicry Winnti Playbook Registry Manipulation

Oct 26, 2022 · attack.defense_evasion attack.t1112 ·

Detects actions caused by the RedMimicry Winnti playbook

Sigma rule (View on GitHub)

 1title: RedMimicry Winnti Playbook Registry Manipulation
 2id: 5b175490-b652-4b02-b1de-5b5b4083c5f8
 3status: test
 4description: Detects actions caused by the RedMimicry Winnti playbook
 5references:
 6    - https://redmimicry.com
 7author: Alexander Rausch
 8date: 2020/06/24
 9modified: 2021/11/27
10tags:
11    - attack.defense_evasion
12    - attack.t1112
13logsource:
14    product: windows
15    category: registry_event
16detection:
17    selection:
18        TargetObject|contains: HKLM\SOFTWARE\Microsoft\HTMLHelp\data
19    condition: selection
20falsepositives:
21    - Unknown
22level: high

References

RedMimicry

Breach and Attack Emulation

Read More

Related rules

Disable Security Events Logging Adding Reg Key MiniNt
Wdigest CredGuard Registry Modification
Sysmon Channel Reference Deletion
CMSTP Execution Registry Event
Registry Entries For Azorult Malware