Blue Mockingbird - Registry
Attempts to detect system changes made by Blue Mockingbird
Sigma rule (View on GitHub)
1title: Blue Mockingbird - Registry
2id: 92b0b372-a939-44ed-a11b-5136cf680e27
3related:
4 - id: c3198a27-23a0-4c2c-af19-e5328d49680e
5 type: derived
6status: test
7description: Attempts to detect system changes made by Blue Mockingbird
8references:
9 - https://redcanary.com/blog/blue-mockingbird-cryptominer/
10author: Trent Liffick (@tliffick)
11date: 2020-05-14
12modified: 2023-08-17
13tags:
14 - attack.defense-evasion
15 - attack.execution
16 - attack.persistence
17 - attack.t1112
18 - attack.t1047
19logsource:
20 product: windows
21 category: registry_set
22detection:
23 selection:
24 TargetObject|endswith: '\CurrentControlSet\Services\wercplsupport\Parameters\ServiceDll'
25 condition: selection
26falsepositives:
27 - Unknown
28level: high
References
-
Red Canary Intel is monitoring a potentially novel threat that is deploying Monero cryptocurrency-mining DLLs on Windows machines at multiple organizations.
Read More
Related rules
- Blue Mockingbird
- Registry Manipulation via WMI Stdregprov
- OilRig APT Activity
- OilRig APT Registry Persistence
- OilRig APT Schedule Task Persistence - Security