39 lines
1.4 KiB
YAML
39 lines
1.4 KiB
YAML
|
|
title: NetWire RAT Registry Key
|
|
Note: You likely will have to change the sysmon configuration file. Per SwiftOnSecurity
|
|
"Because Sysmon runs as a service, it has no filtering ability for, or concept of,
|
|
HKCU or HKEY_CURRENT_USER. Use "contains" or "end with" to get around this limitation"
|
|
Therefore I set <TargetObject condition="contains">netwire</TargetObjecct> in my
|
|
configuration.
|
|
author: Christopher Peacock
|
|
date: 2021/10/07
|
|
description: Attempts to detect registry events for common NetWire key HKCU\Software\NetWire
|
|
detection:
|
|
SELECTION_1:
|
|
EventID: 12
|
|
SELECTION_2:
|
|
EventID: 13
|
|
SELECTION_3:
|
|
EventID: 14
|
|
SELECTION_4:
|
|
TargetObject: '*\software\NetWire*'
|
|
condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
|
|
falsepositives:
|
|
- No known false positives
|
|
id: 1d218616-71b0-4c40-855b-9dbe75510f7f
|
|
level: high
|
|
logsource:
|
|
category: registry_event
|
|
product: windows
|
|
references:
|
|
- https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing
|
|
- https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/
|
|
- https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/
|
|
- https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line
|
|
- https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/
|
|
status: experimental
|
|
tags:
|
|
- attack.defense_evasion
|
|
- attack.t1112
|
|
ruletype: SIGMA
|