Detectionhightest

WINEKEY Registry Modification

Detects potential malicious modification of run keys by winekey or team9 backdoor

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

omkar72Created Fri Oct 30Updated Sat Nov 27b98968aa-dbc0-4a9c-ac35-108363cbf8d5windows

Log Source

WindowsRegistry Event

ProductWindows← raw: windows

CategoryRegistry Event← raw: registry_event

Events for Windows Registry modifications including key creation, modification, and deletion.

Detection Logic

detection:
    selection:
        TargetObject|endswith: 'Software\Microsoft\Windows\CurrentVersion\Run\Backup Mgr'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

Techniques

Rule Metadata

Rule ID

b98968aa-dbc0-4a9c-ac35-108363cbf8d5

Status

test

Level

high

Type

Detection

Created

Fri Oct 30

Modified

Sat Nov 27

Author

Path

rules/windows/registry/registry_event/registry_event_runkey_winekey.yml

Raw Tags

attack.privilege-escalationattack.persistenceattack.t1547