Emerging Threatmediumtest
Potential Encrypted Registry Blob Related To SNAKE Malware
Detects the creation of a registry value in the ".wav\OpenWithProgIds" key with an uncommon name. This could be related to SNAKE Malware as reported by CISA
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems)Created Wed May 10Updated Thu Aug 177e163e96-b9a5-45d6-b2cd-d7d87b13c60b2023
Emerging Threat
Active Threat
Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.
Log Source
WindowsRegistry Set
ProductWindows← raw: windows
CategoryRegistry Set← raw: registry_set
Detection Logic
Detection Logic2 selectors
detection:
selection:
TargetObject|contains: '\SOFTWARE\Classes\.wav\OpenWithProgIds\'
filter_main_wav:
- TargetObject|endswith: '.AssocFile.WAV'
- TargetObject|contains: '.wav.'
condition: selection and not 1 of filter_main_*False Positives
Some additional tuning might be required to tune out legitimate processes that write to this key by default
References
MITRE ATT&CK
Tactics
Other
detection.emerging-threats
Rule Metadata
Rule ID
7e163e96-b9a5-45d6-b2cd-d7d87b13c60b
Status
test
Level
medium
Type
Emerging Threat
Created
Wed May 10
Modified
Thu Aug 17
Path
rules-emerging-threats/2023/Malware/SNAKE/registry_set_malware_snake_encrypted_key.yml
Raw Tags
attack.persistencedetection.emerging-threats