Emerging Threathightest

Potential Ursnif Malware Activity - Registry

Detects registry keys related to Ursnif malware.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

megan201296Created Wed Feb 13Updated Wed Oct 2221f17060-b282-4249-ade0-589ea35915582019

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

WindowsRegistry Add

ProductWindows← raw: windows

CategoryRegistry Add← raw: registry_add

Detection Logic

detection:
    selection:
        TargetObject|endswith: '\Software\AppDataLow\Software\Microsoft\3A861D62-51E0-7C9D-AB0E-15700F2219A4'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

TA0003 · Persistence TA0005 · Defense Evasion TA0002 · Execution

Techniques

T1112 · Modify Registry

Other

detection.emerging-threats

Rule Metadata

Rule ID

21f17060-b282-4249-ade0-589ea3591558

Status

test

Level

high

Type

Emerging Threat

Created

Wed Feb 13

Modified

Wed Oct 22

Author

megan201296

Path

rules-emerging-threats/2019/Malware/Ursnif/registry_add_malware_ursnif.yml

Raw Tags

attack.persistenceattack.defense-evasionattack.executionattack.t1112detection.emerging-threats

View on GitHub