VBScript Payload Stored in Registry
Detects VBScript content stored into registry keys as seen being used by UNC2452 group
Sigma rule (View on GitHub)
1title: VBScript Payload Stored in Registry
2id: 46490193-1b22-4c29-bdd6-5bf63907216f
3status: test
4description: Detects VBScript content stored into registry keys as seen being used by UNC2452 group
5references:
6 - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
7author: Florian Roth (Nextron Systems)
8date: 2021-03-05
9modified: 2023-08-17
10tags:
11 - attack.privilege-escalation
12 - attack.persistence
13 - attack.t1547.001
14logsource:
15 category: registry_set
16 product: windows
17detection:
18 selection:
19 TargetObject|contains: 'Software\Microsoft\Windows\CurrentVersion'
20 Details|contains:
21 - 'vbscript:'
22 - 'jscript:'
23 - 'mshtml,'
24 - 'RunHTMLApplication'
25 - 'Execute('
26 - 'CreateObject'
27 - 'window.close'
28 filter:
29 TargetObject|contains: 'Software\Microsoft\Windows\CurrentVersion\Run'
30 filter_dotnet:
31 Image|endswith: '\msiexec.exe'
32 TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\'
33 Details|contains:
34 - '\Microsoft.NET\Primary Interop Assemblies\Microsoft.mshtml.dll'
35 - '<\Microsoft.mshtml,fileVersion='
36 - '_mshtml_dll_'
37 - '<\Microsoft.mshtml,culture='
38 condition: selection and not 1 of filter*
39falsepositives:
40 - Unknown
41level: high
References
Related rules
- Classes Autorun Keys Modification
- Common Autorun Keys Modification
- CurrentControlSet Autorun Keys Modification
- CurrentVersion Autorun Keys Modification
- CurrentVersion NT Autorun Keys Modification