action: global
title: Pandemic Registry Key
id: 47e0852a-cf81-4494-a8e6-31864f8c86ed
status: experimental
description: Detects Pandemic Windows Implant
references:
    - https://wikileaks.org/vault7/#Pandemic
    - https://twitter.com/MalwareJake/status/870349480356454401
tags:
    - attack.lateral_movement
    - attack.t1105
author: Florian Roth
date: 2017/06/01
fields:
    - EventID
    - CommandLine
    - ParentCommandLine
    - Image
    - User
    - TargetObject
falsepositives:
    - unknown
level: critical
---
logsource:
    category: registry_event
    product: windows
detection:
    selection1:        
        TargetObject|contains: '\SYSTEM\CurrentControlSet\services\null\Instance'
    condition: 1 of them
---
logsource:
    category: process_creation
    product: windows
detection:
    selection2:
        CommandLine|contains: 'loaddll -a '
    condition: 1 of them