mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-08 18:23:52 +00:00
02239fa288
According to [this](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-12-registryevent-object-create-and-delete) it is abbreviated to HKU.
23 lines
670 B
YAML
23 lines
670 B
YAML
title: Ursnif
|
|
status: experimental
|
|
description: Detects new registry key created by Ursnif malware.
|
|
references:
|
|
- https://blog.yoroi.company/research/ursnif-long-live-the-steganography/
|
|
- https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/
|
|
tags:
|
|
- attack.execution
|
|
- attack.t1112
|
|
author: megan201296
|
|
date: 2019/02/13
|
|
logsource:
|
|
product: windows
|
|
service: sysmon
|
|
detection:
|
|
selection:
|
|
EventID: 13
|
|
TargetObject: 'HKU\Software\AppDataLow\Software\Microsoft\\*'
|
|
condition: selection
|
|
falsepositives:
|
|
- Unknown
|
|
level: critical
|