Blue Mockingbird - Registry

Aug 17, 2023 · attack.execution attack.t1112 attack.t1047 ·

Attempts to detect system changes made by Blue Mockingbird

Sigma rule (View on GitHub)

 1title: Blue Mockingbird - Registry
 2id: 92b0b372-a939-44ed-a11b-5136cf680e27
 3related:
 4    - id: c3198a27-23a0-4c2c-af19-e5328d49680e
 5      type: derived
 6status: experimental
 7description: Attempts to detect system changes made by Blue Mockingbird
 8references:
 9    - https://redcanary.com/blog/blue-mockingbird-cryptominer/
10author: Trent Liffick (@tliffick)
11date: 2020/05/14
12modified: 2023/08/17
13tags:
14    - attack.execution
15    - attack.t1112
16    - attack.t1047
17logsource:
18    product: windows
19    category: registry_set
20detection:
21    selection:
22        TargetObject|endswith: '\CurrentControlSet\Services\wercplsupport\Parameters\ServiceDll'
23    condition: selection
24falsepositives:
25    - Unknown
26level: high

References

Blue Mockingbird activity mines Monero cryptocurrency

Red Canary Intel is monitoring a potentially novel threat that is deploying Monero cryptocurrency-mining DLLs on Windows machines at multiple organizations.

Read More

Blue Mockingbird - Registry

Sigma rule (View on GitHub)

References

Blue Mockingbird activity mines Monero cryptocurrency

Related rules