Nasreddine Bencherchali
42 lines
1.3 KiB
YAML
42 lines
1.3 KiB
YAML
title: OilRig APT Registry Persistence
|
|
id: 7bdf2a7c-3acc-4091-9581-0a77dad1c5b5
|
|
related:
|
|
- id: 53ba33fd-3a50-4468-a5ef-c583635cfa92 # System
|
|
type: similar
|
|
- id: c0580559-a6bd-4ef6-b9b7-83703d98b561 # Security
|
|
type: similar
|
|
- id: ce6e34ca-966d-41c9-8d93-5b06c8b97a06 # ProcessCreation
|
|
type: similar
|
|
status: test
|
|
description: Detects OilRig registry persistence as reported by Nyotron in their March 2018 report
|
|
references:
|
|
- https://web.archive.org/web/20180402134442/https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018C.pdf
|
|
author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
|
|
date: 2018-03-23
|
|
modified: 2023-03-08
|
|
tags:
|
|
- attack.privilege-escalation
|
|
- attack.execution
|
|
- attack.persistence
|
|
- attack.defense-impairment
|
|
- attack.g0049
|
|
- attack.t1053.005
|
|
- attack.s0111
|
|
- attack.t1543.003
|
|
- attack.t1112
|
|
- attack.command-and-control
|
|
- attack.t1071.004
|
|
- detection.emerging-threats
|
|
logsource:
|
|
category: registry_event
|
|
product: windows
|
|
detection:
|
|
selection:
|
|
TargetObject|endswith:
|
|
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\UMe'
|
|
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\UT'
|
|
condition: selection
|
|
falsepositives:
|
|
- Unlikely
|
|
level: critical
|