RedMimicry Winnti Playbook Registry Manipulation
Detects actions caused by the RedMimicry Winnti playbook
Sigma rule (View on GitHub)
1title: RedMimicry Winnti Playbook Registry Manipulation
2id: 5b175490-b652-4b02-b1de-5b5b4083c5f8
3status: test
4description: Detects actions caused by the RedMimicry Winnti playbook
5references:
6 - https://redmimicry.com
7author: Alexander Rausch
8date: 2020/06/24
9modified: 2021/11/27
10tags:
11 - attack.defense_evasion
12 - attack.t1112
13logsource:
14 product: windows
15 category: registry_event
16detection:
17 selection:
18 TargetObject|contains: HKLM\SOFTWARE\Microsoft\HTMLHelp\data
19 condition: selection
20falsepositives:
21 - Unknown
22level: high
References
Related rules
- Disable Security Events Logging Adding Reg Key MiniNt
- Wdigest CredGuard Registry Modification
- Sysmon Channel Reference Deletion
- CMSTP Execution Registry Event
- Registry Entries For Azorult Malware