---
action: global
title: Pandemic Registry Key
status: experimental
description: Detects Pandemic Windows Implant
references:
    - https://wikileaks.org/vault7/#Pandemic
    - https://twitter.com/MalwareJake/status/870349480356454401
tags:
    - attack.lateral_movement
    - attack.t1105
author: Florian Roth
detection:
    condition: 1 of them
fields:
    - EventID
    - CommandLine
    - ParentCommandLine
    - Image
    - User
    - TargetObject
falsepositives:
    - unknown
level: critical
---
logsource:
    product: windows
    service: sysmon
detection:
    selection1:
        EventID: 13
        TargetObject: 
            - '\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\services\null\Instance*'
            - '\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\null\Instance*'
            - '\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\null\Instance*'
---
logsource:
    category: process_creation
    product: windows
detection:
    selection2:
        Command: 'loaddll -a *'