Blackbyte Ransomware Registry
Detects specific windows registry modifications made by BlackByte ransomware variants. BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption. This rule triggers when any of the following registry keys are set to DWORD 1, however all three should be investigated as part of a larger BlackByte ransomware detection and response effort.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.
detection:
selection:
TargetObject:
- 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy'
- 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections'
- 'HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\LongPathsEnabled'
Details: 'DWORD (0x00000001)'
condition: selectionFalse positive likelihood has not been assessed. Additional context may be needed during triage.
Techniques
Other