SigmaHQ/rules/windows/registry_event/sysmon_apt_leviathan.yml

title: Leviathan Registry Key Activity
id: 70d43542-cd2d-483c-8f30-f16b436fd7db
status: experimental
description: Detects registry key used by Leviathan APT in Malaysian focused campaign
references:
    - https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign
tags:
    - attack.persistence
    - attack.t1060 # an old one
    - attack.t1547.001
author: Aidan Bracher
date: 2020/07/07
modified: 2020/09/06
logsource:
    category: registry_event
    product: windows
detection:
    selection:
        TargetObject: 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ntkd'
    condition: selection
level: critical
add level field to rule 2020-07-07 13:28:18 +00:00			`title: Leviathan Registry Key Activity`
rule: Leviathan registry key 2020-07-07 12:27:57 +00:00			`id: 70d43542-cd2d-483c-8f30-f16b436fd7db`
			`status: experimental`
			`description: Detects registry key used by Leviathan APT in Malaysian focused campaign`
			`references:`
			`- https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign`
			`tags:`
			`- attack.persistence`
att&ck tags review: windows/registry_event 2020-09-06 19:08:27 +00:00			`- attack.t1060 # an old one`
			`- attack.t1547.001`
rule: Leviathan registry key 2020-07-07 12:27:57 +00:00			`author: Aidan Bracher`
			`date: 2020/07/07`
att&ck tags review: windows/registry_event 2020-09-06 19:08:27 +00:00			`modified: 2020/09/06`
rule: Leviathan registry key 2020-07-07 12:27:57 +00:00			`logsource:`
			`category: registry_event`
			`product: windows`
			`detection:`
			`selection:`
			`TargetObject: 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ntkd'`
			`condition: selection`
Update sysmon_apt_leviathan.yml 2020-07-10 13:41:55 +00:00			`level: critical`