WINEKEY Registry Modification
Detects potential malicious modification of run keys by winekey or team9 backdoor
Sigma rule (View on GitHub)
1title: WINEKEY Registry Modification
2id: b98968aa-dbc0-4a9c-ac35-108363cbf8d5
3status: test
4description: Detects potential malicious modification of run keys by winekey or team9 backdoor
5references:
6 - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
7author: omkar72
8date: 2020-10-30
9modified: 2021-11-27
10tags:
11 - attack.persistence
12 - attack.t1547
13logsource:
14 category: registry_event
15 product: windows
16detection:
17 selection:
18 TargetObject|endswith: 'Software\Microsoft\Windows\CurrentVersion\Run\Backup Mgr'
19 condition: selection
20fields:
21 - ComputerName
22 - Image
23 - EventType
24 - TargetObject
25falsepositives:
26 - Unknown
27level: high
References
-
First Seen Server Subject MD5 12/12/19 140.82.60.155:443 CN=updatemanagir[.]us ec16be328c09473d5e5c07310583d85a 12/21/19 96.30.192.141:443 CN=cmdupdatewin[.]com 3d4de17df25412bb714fda069f6eb27e 1/6...
Read More
Related rules
- Atbroker Registry Change
- Potential RipZip Attack on Startup Folder
- Registry Persistence Mechanisms in Recycle Bin
- Suspicious Driver Install by pnputil.exe
- Suspicious GrpConv Execution