VBScript Payload Stored in Registry
Detects VBScript content stored into registry keys as seen being used by UNC2452 group
Sigma rule (View on GitHub)
1title: VBScript Payload Stored in Registry
2id: 46490193-1b22-4c29-bdd6-5bf63907216f
3status: experimental
4description: Detects VBScript content stored into registry keys as seen being used by UNC2452 group
5references:
6 - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
7author: Florian Roth (Nextron Systems)
8date: 2021/03/05
9modified: 2023/08/17
10tags:
11 - attack.persistence
12 - attack.t1547.001
13logsource:
14 category: registry_set
15 product: windows
16detection:
17 selection:
18 TargetObject|contains: 'Software\Microsoft\Windows\CurrentVersion'
19 Details|contains:
20 - 'vbscript:'
21 - 'jscript:'
22 - 'mshtml,'
23 - 'RunHTMLApplication'
24 - 'Execute('
25 - 'CreateObject'
26 - 'window.close'
27 filter:
28 TargetObject|contains: 'Software\Microsoft\Windows\CurrentVersion\Run'
29 filter_dotnet:
30 Image|endswith: '\msiexec.exe'
31 TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\'
32 Details|contains:
33 - '\Microsoft.NET\Primary Interop Assemblies\Microsoft.mshtml.dll'
34 - '<\Microsoft.mshtml,fileVersion='
35 - '_mshtml_dll_'
36 - '<\Microsoft.mshtml,culture='
37 condition: selection and not 1 of filter*
38falsepositives:
39 - Unknown
40level: high
References
Related rules
- Classes Autorun Keys Modification
- CurrentControlSet Autorun Keys Modification
- Internet Explorer Autorun Keys Modification
- Modify User Shell Folders Startup Value
- Session Manager Autorun Keys Modification