title: Ursnif
id: 21f17060-b282-4249-ade0-589ea3591558
status: experimental
description: Detects new registry key created by Ursnif malware.
references:
    - https://blog.yoroi.company/research/ursnif-long-live-the-steganography/
    - https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/
tags:
    - attack.execution
    - attack.t1112
author: megan201296
date: 2019/02/13
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 13
        TargetObject|contains: '\Software\AppDataLow\Software\Microsoft\\'
    condition: selection
falsepositives:
    - Unknown
level: critical