Emerging Threatcriticaltest

Leviathan Registry Key Activity

Detects registry key used by Leviathan APT in Malaysian focused campaign

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Aidan BracherCreated Tue Jul 07Updated Tue Sep 1970d43542-cd2d-483c-8f30-f16b436fd7db2020

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

WindowsRegistry Event

ProductWindows← raw: windows

CategoryRegistry Event← raw: registry_event

Events for Windows Registry modifications including key creation, modification, and deletion.

Detection Logic

detection:
    selection:
        TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\Run\ntkd'
    condition: selection

References

MITRE ATT&CK

Tactics

Sub-techniques

Other

detection.emerging-threats

Rule Metadata

Rule ID

70d43542-cd2d-483c-8f30-f16b436fd7db

Status

test

Level

critical

Type

Emerging Threat

Created

Tue Jul 07

Modified

Tue Sep 19

Author

Path

rules-emerging-threats/2020/TA/Leviathan/registry_event_apt_leviathan.yml

Raw Tags

attack.privilege-escalationattack.persistenceattack.t1547.001detection.emerging-threats