SigmaHQ/rules/windows/malware/mal_azorult_reg.yml

title: Registy Entries For Azorult Malware
id: f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7
description: Detects the presence of a registry key created during Azorult execution
status: experimental
references:
  - https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojan.win32.azoruit.a
author: Trent Liffick
date: 2020/05/08
tags:
  - attack.execution
  - attack.t1112
logsource:
  product: windows
  service: sysmon
detection:
  selection:
    EventID:
      - 12
      - 13
    TargetObject|endswith:
      - 'SYSTEM\\*\services\localNETService'
  condition: selection
fields:
  - Image
  - TargetObject
  - TargetDetails
falsepositives:
  - unknown
level: critical
Update mal_azorult_reg.yml 2020-05-09 01:31:33 +00:00			`title: Registy Entries For Azorult Malware`
Registry entry for Azorult malware Detects registry keys used by Azorult malware 2020-05-09 01:26:24 +00:00			`id: f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7`
			`description: Detects the presence of a registry key created during Azorult execution`
			`status: experimental`
			`references:`
			`- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojan.win32.azoruit.a`
			`author: Trent Liffick`
			`date: 2020/05/08`
			`tags:`
			`- attack.execution`
			`- attack.t1112`
			`logsource:`
			`product: windows`
			`service: sysmon`
			`detection:`
			`selection:`
			`EventID:`
			`- 12`
			`- 13`
Update mal_azorult_reg.yml 2020-10-28 01:07:45 +00:00			`TargetObject\|endswith:`
Update mal_azorult_reg.yml 2020-10-15 19:15:25 +00:00			`- 'SYSTEM\\*\services\localNETService'`
Registry entry for Azorult malware Detects registry keys used by Azorult malware 2020-05-09 01:26:24 +00:00			`condition: selection`
			`fields:`
			`- Image`
			`- TargetObject`
			`- TargetDetails`
			`falsepositives:`
			`- unknown`
Changed level to ciritcal 2020-05-11 08:40:23 +00:00			`level: critical`