Potential Ransomware Activity Using LegalNotice Message

Detect changes to the "LegalNoticeCaption" or "LegalNoticeText" registry values where the message set contains keywords often used in ransomware ransom messages

Sigma rule (View on GitHub)

 1title: Potential Ransomware Activity Using LegalNotice Message
 2id: 8b9606c9-28be-4a38-b146-0e313cc232c1
 3status: experimental
 4description: Detect changes to the "LegalNoticeCaption" or "LegalNoticeText" registry values where the message set contains keywords often used in ransomware ransom messages
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1491.001/T1491.001.md
 7author: frack113
 8date: 2022/12/11
 9modified: 2023/08/17
10tags:
11    - attack.impact
12    - attack.t1491.001
13logsource:
14    product: windows
15    category: registry_set
16detection:
17    selection:
18        TargetObject|contains:
19            - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption'
20            - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText'
21        Details|contains:
22            - 'encrypted'
23            - 'Unlock-Password'
24            - 'paying'
25    condition: selection
26falsepositives:
27    - Unknown
28level: high

References

Related rules

to-top