Blue Mockingbird - Registry
Attempts to detect system changes made by Blue Mockingbird
Sigma rule (View on GitHub)
1title: Blue Mockingbird - Registry
2id: 92b0b372-a939-44ed-a11b-5136cf680e27
3related:
4 - id: c3198a27-23a0-4c2c-af19-e5328d49680e
5 type: derived
6status: test
7description: Attempts to detect system changes made by Blue Mockingbird
8references:
9 - https://redcanary.com/blog/blue-mockingbird-cryptominer/
10author: Trent Liffick (@tliffick)
11date: 2020-05-14
12modified: 2023-08-17
13tags:
14 - attack.execution
15 - attack.t1112
16 - attack.t1047
17logsource:
18 product: windows
19 category: registry_set
20detection:
21 selection:
22 TargetObject|endswith: '\CurrentControlSet\Services\wercplsupport\Parameters\ServiceDll'
23 condition: selection
24falsepositives:
25 - Unknown
26level: high
References
-
Red Canary Intel is monitoring a potentially novel threat that is deploying Monero cryptocurrency-mining DLLs on Windows machines at multiple organizations.
Read More
Related rules
- Blue Mockingbird
- Application Removed Via Wmic.EXE
- Application Terminated Via Wmic.EXE
- CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry
- Computer System Reconnaissance Via Wmic.EXE