Emerging Threatcriticaltest

Pandemic Registry Key

Detects Pandemic Windows Implant

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Florian Roth (Nextron Systems)Created Thu Jun 01Updated Sun Oct 0947e0852a-cf81-4494-a8e6-31864f8c86ed2017

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

WindowsRegistry Event

ProductWindows← raw: windows

CategoryRegistry Event← raw: registry_event

Events for Windows Registry modifications including key creation, modification, and deletion.

Detection Logic

detection:
    selection:
        TargetObject|contains: '\SYSTEM\CurrentControlSet\services\null\Instance'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

TA0011 · Command and Control

Techniques

T1105 · Ingress Tool Transfer

Other

detection.emerging-threats

Rule Metadata

Rule ID

47e0852a-cf81-4494-a8e6-31864f8c86ed

Status

test

Level

critical

Type

Emerging Threat

Created

Thu Jun 01

Modified

Sun Oct 09

Author

Florian Roth (Nextron Systems)

Path

rules-emerging-threats/2017/TA/Pandemic/registry_event_apt_pandemic.yml

Raw Tags

attack.command-and-controlattack.t1105detection.emerging-threats

View on GitHub