Emerging Threatcriticaltest

OilRig APT Registry Persistence

Detects OilRig registry persistence as reported by Nyotron in their March 2018 report

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.communityCreated Fri Mar 23Updated Wed Mar 087bdf2a7c-3acc-4091-9581-0a77dad1c5b52018

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

WindowsRegistry Event

ProductWindows← raw: windows

CategoryRegistry Event← raw: registry_event

Events for Windows Registry modifications including key creation, modification, and deletion.

Detection Logic

detection:
    selection:
        TargetObject|endswith:
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\UMe'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\UT'
    condition: selection

False Positives

Unlikely

False positives are unlikely for most environments. High confidence detection.

References

Resolving title…

web.archive.org

MITRE ATT&CK

Tactics

TA0004 · Privilege Escalation TA0002 · Execution TA0003 · Persistence TA0005 · Defense Evasion TA0011 · Command and Control

Techniques

T1112 · Modify Registry

Sub-techniques

T1053.005 · Scheduled Task T1543.003 · Windows Service T1071.004 · DNS

Groups

G0049 · G0049

Software

S0111 · schtasks

Other

detection.emerging-threats

Related Rules

SimilarEmerging Threatcritical

OilRig APT Schedule Task Persistence - System

Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report

Detects similar activity. Both rules may fire on overlapping events.

SimilarEmerging Threatcritical

OilRig APT Schedule Task Persistence - Security

Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report

Detects similar activity. Both rules may fire on overlapping events.

SimilarEmerging Threatcritical

OilRig APT Activity

Detects OilRig activity as reported by Nyotron in their March 2018 report

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

7bdf2a7c-3acc-4091-9581-0a77dad1c5b5

Status

test

Level

critical

Type

Emerging Threat

Created

Fri Mar 23

Modified

Wed Mar 08

Author

Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community

Path

rules-emerging-threats/2018/TA/OilRig/registry_event_apt_oilrig_mar18.yml

Raw Tags

attack.privilege-escalationattack.executionattack.persistenceattack.g0049attack.t1053.005attack.s0111attack.t1543.003attack.defense-evasionattack.t1112attack.command-and-controlattack.t1071.004detection.emerging-threats

View on GitHub