Detectionlowtest

Load Of RstrtMgr.DLL By An Uncommon Process

Detects the load of RstrtMgr DLL (Restart Manager) by an uncommon process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. It could also be used for anti-analysis purposes by shut downing specific processes.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Luc GénauxCreated Tue Nov 28Updated Mon Dec 083669afd2-9891-4534-a626-e5cf03810a61windows

Log Source

WindowsImage Load (DLL)

ProductWindows← raw: windows

CategoryImage Load (DLL)← raw: image_load

Detection Logic

detection:
    selection:
        - ImageLoaded|endswith: '\RstrtMgr.dll'
        - OriginalFileName: 'RstrtMgr.dll'
    filter_main_generic:
        Image|startswith:
            - C:\$WINDOWS.~BT\'
            - C:\$WinREAgent\'
            - C:\Program Files (x86)\'
            - C:\Program Files\'
            - C:\ProgramData\'
            - C:\Windows\explorer.exe'
            - C:\Windows\SoftwareDistribution\'
            - C:\Windows\SysNative\'
            - C:\Windows\System32\'
            - C:\Windows\SysWOW64\'
            - C:\Windows\WinSxS\'
            - C:\WUDownloadCache\'
    filter_main_user_software_installations:
        Image|startswith: C:\Users\'
        Image|contains|all:
            - '\AppData\Local\Temp\is-'
            - '.tmp\'
        Image|endswith: '.tmp'
    filter_main_admin_software_installations:
        Image|startswith: C:\Windows\Temp\'
    filter_optional_onedrive:
        Image|startswith: 'C:\Users\'
        Image|endswith: '\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*

False Positives

Other legitimate Windows processes not currently listed

Processes related to software installation

References

MITRE ATT&CK

Tactics

TA0040 · Impact TA0005 · Defense Evasion

Techniques

T1486 · Data Encrypted for Impact

Sub-techniques

T1562.001 · Disable or Modify Tools

Related Rules

DerivedDetectionhigh

Load Of RstrtMgr.DLL By A Suspicious Process

Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. It could also be used for anti-analysis purposes by shut downing specific processes.

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata

Rule ID

3669afd2-9891-4534-a626-e5cf03810a61

Status

test

Level

low

Type

Detection

Created

Tue Nov 28

Modified

Mon Dec 08

Author

Luc Génaux

Path

rules/windows/image_load/image_load_dll_rstrtmgr_uncommon_load.yml

Raw Tags

attack.impactattack.defense-evasionattack.t1486attack.t1562.001

View on GitHub