security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Redcannary

Browse Source
This commit is contained in:
frack113
2022-12-11 16:46:32 +01:00
parent 646d861471
commit 89d2d00a5b
1 changed files with 28 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/registry/registry_event/registry_set_legalnotice_susp_message.yml
+28
View File
@@ -0,0 +1,28 @@
title: Set Display Ransom Message
id: 8b9606c9-28be-4a38-b146-0e313cc232c1
status: experimental
description: Detect modification of LegalNoticeCaption or LegalNoticeText to set a ransom message
references:
- https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1491.001/T1491.001.md
author: frack113
date: 2022/12/11
tags:
- attack.impact
- attack.t1491.001
logsource:
product: windows
category: registry_set
detection:
selection:
EventType: SetValue
TargetObject|contains:
- '\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption'
- '\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText'
Details|contains:
- 'encrypted'
- 'Unlock-Password'
- 'paying'
condition: selection
falsepositives:
- Unknown
level: high