Emerging Threathightest

Potential NetWire RAT Activity - Registry

Detects registry keys related to NetWire RAT

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Christopher PeacockCreated Thu Oct 07Updated Mon Nov 031d218616-71b0-4c40-855b-9dbe75510f7f2021

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

WindowsRegistry Add

ProductWindows← raw: windows

CategoryRegistry Add← raw: registry_add

Detection Logic

detection:
    selection:
        # The configuration information is usually stored under HKCU:\Software\Netwire - RedCanary
        TargetObject|contains: '\software\NetWire'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

fortinet.com

Resolving title…

resources.infosecinstitute.com

Resolving title…

unit42.paloaltonetworks.com

MITRE ATT&CK

Tactics

TA0003 · Persistence TA0005 · Defense Evasion

Techniques

T1112 · Modify Registry

Other

detection.emerging-threats

Rule Metadata

Rule ID

1d218616-71b0-4c40-855b-9dbe75510f7f

Status

test

Level

high

Type

Emerging Threat

Created

Thu Oct 07

Modified

Mon Nov 03

Author

Christopher Peacock

Path

rules-emerging-threats/2021/Malware/Netwire/registry_add_malware_netwire.yml

Raw Tags

attack.persistenceattack.defense-evasionattack.t1112detection.emerging-threats

View on GitHub