title: OceanLotus Registry Activity id: 4ac5fc44-a601-4c06-955b-309df8c4e9d4 status: experimental description: Detects registry keys created in OceanLotus (also known as APT32) attacks references: - https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/ tags: - attack.t1112 author: megan201296 date: 2019/04/14 logsource: product: windows service: sysmon detection: selection: EventID: 13 TargetObject: - '*\SOFTWARE\Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model' - '*\SOFTWARE\App\AppXbf13d4ea2945444d8b13e2121cb6b663\Application' - '*\SOFTWARE\App\AppXbf13d4ea2945444d8b13e2121cb6b663\DefaultIcon' - '*\SOFTWARE\App\AppX70162486c7554f7f80f481985d67586d\Application' - '*\SOFTWARE\App\AppX70162486c7554f7f80f481985d67586d\DefaultIcon' - '*\SOFTWARE\App\AppX37cc7fdccd644b4f85f4b22d5a3f105a\Application' - '*\SOFTWARE\App\AppX37cc7fdccd644b4f85f4b22d5a3f105a\DefaultIcon' condition: selection falsepositives: - Unknown level: critical