title: Registry Entries For Azorult Malware
id: f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7
description: Detects the presence of a registry key created during Azorult execution
status: experimental
references:
  - https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojan.win32.azoruit.a
author: Trent Liffick
date: 2020/05/08
tags:
  - attack.execution
  - attack.t1112
logsource:
  product: windows
  category: registry_event
detection:
  selection:
    EventID:
      - 12
      - 13
    TargetObject|contains: 'SYSTEM\'
    TargetObject|endswith: '\services\localNETService'
  condition: selection
fields:
  - Image
  - TargetObject
  - TargetDetails
falsepositives:
  - unknown
level: critical