Detection rules › Sigma
Load Of RstrtMgr.DLL By A Suspicious Process
Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. It could also be used for anti-analysis purposes by shut downing specific processes.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Defense Evasion | T1562.001 Impair Defenses: Disable or Modify Tools |
| Impact | T1486 Data Encrypted for Impact |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 7 | Image loaded |
Stages and Predicates
Stage 1: selection_img
or:
ImageLoaded|endswith: '\RstrtMgr.dll'
OriginalFileName: RstrtMgr.dll
Stage 2: 1 of selection_folders_1
or:
Image|contains: ':\Perflogs\'
Image|contains: ':\Users\Public\'
Image|contains: '\Temporary Internet'
Stage 3: 1 of selection_folders_2
or:
Image|contains: ':\Users\'
Image|contains: '\Contacts\'
Image|contains: ':\Users\'
Image|contains: '\Favorites\'
Image|contains: ':\Users\'
Image|contains: '\Favourites\'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Image | match |
|
ImageLoaded | ends_with |
|
OriginalFileName | eq |
|