Sodinokibi Ransomware Registry Key
title: Sodinokibi Ransomware Registry Key | |
id: 9fecd354-77f0-498e-a611-c963970e7bca | |
description: Detects the creation of Sodinokibi (aka REvil) registry keys | |
status: experimental | |
references: | |
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ | |
- https://twitter.com/malwrhunterteam/status/1372648463553462279 | |
tags: | |
- attack.persistence | |
- attack.t1547.001 | |
date: 2021/03/29 | |
author: Maxime THIEBAUT (@0xThiebaut) | |
logsource: | |
category: registry_event | |
product: windows | |
detection: | |
selection: | |
TargetObject|contains: | |
- '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*AstraZeneca' | |
- '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*franceisshit' | |
condition: selection | |
level: high |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This comment has been minimized.
Based on
sysmon_susp_run_key_img_folder.yml
with loosened folder conditions in favor of key naming.