Detectionhightest
HackTool - RedMimicry Winnti Playbook Execution
Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic1 selector
detection:
selection:
Image|endswith:
- '\rundll32.exe'
- '\cmd.exe'
CommandLine|contains:
- 'gthread-3.6.dll'
- '\Windows\Temp\tmp.bat'
- 'sigcmm-2.4.dll'
condition: selectionFalse Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
References
MITRE ATT&CK
Techniques
Sub-techniques
Rule Metadata
Rule ID
95022b85-ff2a-49fa-939a-d7b8f56eeb9b
Status
test
Level
high
Type
Detection
Created
Wed Jun 24
Modified
Wed Mar 01
Author
Path
rules/windows/process_creation/proc_creation_win_hktl_redmimicry_winnti_playbook.yml
Raw Tags
attack.executionattack.defense-evasionattack.t1106attack.t1059.003attack.t1218.011