Potential Ransomware Activity Using LegalNotice Message
Detect changes to the "LegalNoticeCaption" or "LegalNoticeText" registry values where the message set contains keywords often used in ransomware ransom messages
Sigma rule (View on GitHub)
1title: Potential Ransomware Activity Using LegalNotice Message
2id: 8b9606c9-28be-4a38-b146-0e313cc232c1
3status: experimental
4description: Detect changes to the "LegalNoticeCaption" or "LegalNoticeText" registry values where the message set contains keywords often used in ransomware ransom messages
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1491.001/T1491.001.md
7author: frack113
8date: 2022/12/11
9modified: 2023/08/17
10tags:
11 - attack.impact
12 - attack.t1491.001
13logsource:
14 product: windows
15 category: registry_set
16detection:
17 selection:
18 TargetObject|contains:
19 - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption'
20 - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText'
21 Details|contains:
22 - 'encrypted'
23 - 'Unlock-Password'
24 - 'paying'
25 condition: selection
26falsepositives:
27 - Unknown
28level: high
References
Related rules
- Replace Desktop Wallpaper by Powershell
- New Root or CA or AuthRoot Certificate to Store
- Registry Disable System Restore
- Renamed Gpg.EXE Execution
- LockerGoga Ransomware Activity