Potential Ransomware Activity Using LegalNotice Message
Detect changes to the "LegalNoticeCaption" or "LegalNoticeText" registry values where the message set contains keywords often used in ransomware ransom messages
Sigma rule (View on GitHub)
1title: Potential Ransomware Activity Using LegalNotice Message
2id: 8b9606c9-28be-4a38-b146-0e313cc232c1
3status: test
4description: Detect changes to the "LegalNoticeCaption" or "LegalNoticeText" registry values where the message set contains keywords often used in ransomware ransom messages
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1491.001/T1491.001.md
7author: frack113
8date: 2022-12-11
9modified: 2023-08-17
10tags:
11 - attack.impact
12 - attack.t1491.001
13logsource:
14 product: windows
15 category: registry_set
16detection:
17 selection:
18 TargetObject|contains:
19 - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption'
20 - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText'
21 Details|contains:
22 - 'encrypted'
23 - 'Unlock-Password'
24 - 'paying'
25 condition: selection
26falsepositives:
27 - Unknown
28level: high
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Replace Desktop Wallpaper by Powershell
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- AWS EC2 Disable EBS Encryption
- AWS EFS Fileshare Modified or Deleted