Blue Mockingbird - Registry
Attempts to detect system changes made by Blue Mockingbird
Sigma rule (View on GitHub)
1title: Blue Mockingbird - Registry
2id: 92b0b372-a939-44ed-a11b-5136cf680e27
3related:
4 - id: c3198a27-23a0-4c2c-af19-e5328d49680e
5 type: derived
6status: test
7description: Attempts to detect system changes made by Blue Mockingbird
8references:
9 - https://redcanary.com/blog/blue-mockingbird-cryptominer/
10author: Trent Liffick (@tliffick)
11date: 2020-05-14
12modified: 2023-08-17
13tags:
14 - attack.execution
15 - attack.persistence
16 - attack.t1112
17 - attack.t1047
18logsource:
19 product: windows
20 category: registry_set
21detection:
22 selection:
23 TargetObject|endswith: '\CurrentControlSet\Services\wercplsupport\Parameters\ServiceDll'
24 condition: selection
25falsepositives:
26 - Unknown
27level: high
References
-
Red Canary Intel is monitoring a potentially novel threat that is deploying Monero cryptocurrency-mining DLLs on Windows machines at multiple organizations.
Read More
Related rules
- Registry Entries For Azorult Malware
- Suspicious Autorun Registry Modified via WMI
- Blue Mockingbird
- HackTool - CrackMapExec Execution
- Suspicious Encoded Scripts in a WMI Consumer