Detectioncriticaltest

Registry Entries For Azorult Malware

Detects the presence of a registry key created during Azorult execution

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Trent LiffickCreated Fri May 08Updated Sat Nov 27f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7windows

Log Source

WindowsRegistry Event

ProductWindows← raw: windows

CategoryRegistry Event← raw: registry_event

Events for Windows Registry modifications including key creation, modification, and deletion.

Detection Logic

detection:
    selection:
        EventID:
            - 12
            - 13
        TargetObject|contains: 'SYSTEM\'
        TargetObject|endswith: '\services\localNETService'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

trendmicro.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion TA0003 · Persistence TA0002 · Execution

Techniques

T1112 · Modify Registry

Rule Metadata

Rule ID

f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7

Status

test

Level

critical

Type

Detection

Created

Fri May 08

Modified

Sat Nov 27

Author

Trent Liffick

Path

rules/windows/registry/registry_event/registry_event_mal_azorult.yml

Raw Tags

attack.defense-evasionattack.persistenceattack.executionattack.t1112

View on GitHub