Detectionhightest

RedMimicry Winnti Playbook Registry Manipulation

Detects actions caused by the RedMimicry Winnti playbook

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Alexander RauschCreated Wed Jun 24Updated Sat Nov 275b175490-b652-4b02-b1de-5b5b4083c5f8windows

Log Source

WindowsRegistry Event

ProductWindows← raw: windows

CategoryRegistry Event← raw: registry_event

Events for Windows Registry modifications including key creation, modification, and deletion.

Detection Logic

detection:
    selection:
        TargetObject|contains: HKLM\SOFTWARE\Microsoft\HTMLHelp\data
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

Techniques

Rule Metadata

Rule ID

5b175490-b652-4b02-b1de-5b5b4083c5f8

Status

test

Level

high

Type

Detection

Created

Wed Jun 24

Modified

Sat Nov 27

Author

Path

rules/windows/registry/registry_event/registry_event_redmimicry_winnti_reg.yml

Raw Tags

attack.persistenceattack.defense-evasionattack.t1112