Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Sodinokibi Ransomware Registry Key
title: Sodinokibi Ransomware Registry Key
id: 9fecd354-77f0-498e-a611-c963970e7bca
description: Detects the creation of Sodinokibi (aka REvil) registry keys
status: experimental
references:
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- https://twitter.com/malwrhunterteam/status/1372648463553462279
tags:
- attack.persistence
- attack.t1547.001
date: 2021/03/29
author: Maxime THIEBAUT (@0xThiebaut)
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|contains:
- '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*AstraZeneca'
- '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*franceisshit'
condition: selection
level: high
@0xThiebaut

This comment has been minimized.

Copy link
Owner Author

@0xThiebaut 0xThiebaut commented Mar 29, 2021

Based on sysmon_susp_run_key_img_folder.yml with loosened folder conditions in favor of key naming.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment