WINEKEY Registry Modification
Detects potential malicious modification of run keys by winekey or team9 backdoor
Sigma rule (View on GitHub)
1title: WINEKEY Registry Modification
2id: b98968aa-dbc0-4a9c-ac35-108363cbf8d5
3status: test
4description: Detects potential malicious modification of run keys by winekey or team9 backdoor
5references:
6 - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
7author: omkar72
8date: 2020-10-30
9modified: 2021-11-27
10tags:
11 - attack.privilege-escalation
12 - attack.persistence
13 - attack.t1547
14logsource:
15 category: registry_event
16 product: windows
17detection:
18 selection:
19 TargetObject|endswith: 'Software\Microsoft\Windows\CurrentVersion\Run\Backup Mgr'
20 condition: selection
21fields:
22 - ComputerName
23 - Image
24 - EventType
25 - TargetObject
26falsepositives:
27 - Unknown
28level: high
References
-
First Seen Server Subject MD5 12/12/19 140.82.60.155:443 CN=updatemanagir[.]us ec16be328c09473d5e5c07310583d85a 12/21/19 96.30.192.141:443 CN=cmdupdatewin[.]com 3d4de17df25412bb714fda069f6eb27e 1/6...
Read More
Related rules
- Atbroker Registry Change
- Potential RipZip Attack on Startup Folder
- Registry Persistence Mechanisms in Recycle Bin
- Startup/Logon Script Added to Group Policy Object
- Suspicious Driver Install by pnputil.exe