Skip to content

Instantly share code, notes, and snippets.

@0xThiebaut

0xThiebaut/sodinokibi_ransomware_registry_key.yml

Last active March 29, 2021 20:18
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save 0xThiebaut/2ff3a0d030f35f68049f4c711eb8fd32 to your computer and use it in GitHub Desktop.
Save 0xThiebaut/2ff3a0d030f35f68049f4c711eb8fd32 to your computer and use it in GitHub Desktop.
Download ZIP
Sodinokibi Ransomware Registry Key
Raw
sodinokibi_ransomware_registry_key.yml
title: Sodinokibi Ransomware Registry Key
id: 9fecd354-77f0-498e-a611-c963970e7bca
description: Detects the creation of Sodinokibi (aka REvil) registry keys
status: experimental
references:
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- https://twitter.com/malwrhunterteam/status/1372648463553462279
tags:
- attack.persistence
- attack.t1547.001
date: 2021/03/29
author: Maxime THIEBAUT (@0xThiebaut)
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|contains:
- '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*AstraZeneca'
- '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*franceisshit'
condition: selection
level: high
@0xThiebaut
Copy link
Author

Based on sysmon_susp_run_key_img_folder.yml with loosened folder conditions in favor of key naming.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment