WINEKEY Registry Modification
Detects potential malicious modification of run keys by winekey or team9 backdoor
Sigma rule (View on GitHub)
1title: WINEKEY Registry Modification
2id: b98968aa-dbc0-4a9c-ac35-108363cbf8d5
3status: test
4description: Detects potential malicious modification of run keys by winekey or team9 backdoor
5references:
6 - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
7author: omkar72
8date: 2020/10/30
9modified: 2021/11/27
10tags:
11 - attack.persistence
12 - attack.t1547
13logsource:
14 category: registry_event
15 product: windows
16detection:
17 selection:
18 TargetObject|endswith: 'Software\Microsoft\Windows\CurrentVersion\Run\Backup Mgr'
19 condition: selection
20fields:
21 - ComputerName
22 - Image
23 - EventType
24 - TargetObject
25falsepositives:
26 - Unknown
27level: high
References
Related rules
- New DLL Added to AppCertDlls Registry Key
- Path To Screensaver Binary Modified
- Suspicious desktop.ini Action
- WMI Persistence - Script Event Consumer File Write
- HybridConnectionManager Service Installation