Emerging Threatcriticaltest

OceanLotus Registry Activity

Detects registry keys created in OceanLotus (also known as APT32) attacks

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

megan201296, Jonhnathan RibeiroCreated Sun Apr 14Updated Thu Sep 284ac5fc44-a601-4c06-955b-309df8c4e9d42018

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

WindowsRegistry Event

ProductWindows← raw: windows

CategoryRegistry Event← raw: registry_event

Events for Windows Registry modifications including key creation, modification, and deletion.

Detection Logic

detection:
    selection_clsid:
        TargetObject|contains: '\SOFTWARE\Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model'
    selection_hkcu:
        TargetObject|contains:
            # HKCU\SOFTWARE\Classes\AppXc52346ec40fb4061ad96be0e6cb7d16a\
            - 'Classes\AppXc52346ec40fb4061ad96be0e6cb7d16a\'
            # HKCU\SOFTWARE\Classes\AppX3bbba44c6cae4d9695755183472171e2\
            - 'Classes\AppX3bbba44c6cae4d9695755183472171e2\'
            # HKCU\SOFTWARE\Classes\CLSID\{E3517E26-8E93-458D-A6DF-8030BC80528B}\
            - 'Classes\CLSID\{E3517E26-8E93-458D-A6DF-8030BC80528B}\'
            - 'Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model'
    selection_appx_1:
        TargetObject|contains: '\SOFTWARE\App\'
    selection_appx_2:
        TargetObject|contains:
            - 'AppXbf13d4ea2945444d8b13e2121cb6b663\'
            - 'AppX70162486c7554f7f80f481985d67586d\'
            - 'AppX37cc7fdccd644b4f85f4b22d5a3f105a\'
        TargetObject|endswith:
            - 'Application'
            - 'DefaultIcon'
    condition: selection_clsid or selection_hkcu or all of selection_appx_*