title: Pandemic Registry Key
status: experimental
description: Detects Pandemic Windows Implant
references:
    - https://wikileaks.org/vault7/#Pandemic
    - https://twitter.com/MalwareJake/status/870349480356454401
author: Florian Roth
logsource:
    product: windows
    service: sysmon
detection:
    selection1:
        EventID: 13
        TargetObject: 
            - '\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\services\null\Instance*'
            - '\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\null\Instance*'
            - '\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\null\Instance*'
    selection2:
        EventID: 1
        Command: 'loaddll -a *'
    condition: 1 of them
fields:
    - EventID
    - CommandLine
    - ParentCommandLine
    - Image
    - User
    - TargetObject
falsepositives:
    - unknown
level: critical