Detection rules › Sigma

Potential Encrypted Registry Blob Related To SNAKE Malware

Status
test
Severity
medium
Author
Nasreddine Bencherchali (Nextron Systems)
Source
github.com/SigmaHQ/sigma

Detects the creation of a registry value in the ".wav\OpenWithProgIds" key with an uncommon name. This could be related to SNAKE Malware as reported by CISA

Event coverage

ProviderEventTitle
SysmonEvent ID 13RegistryEvent (Value Set)

Rule body yaml

title: Potential Encrypted Registry Blob Related To SNAKE Malware
id: 7e163e96-b9a5-45d6-b2cd-d7d87b13c60b
status: test
description: Detects the creation of a registry value in the ".wav\OpenWithProgIds" key with an uncommon name. This could be related to SNAKE Malware as reported by CISA
references:
    - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-10
modified: 2023-08-17
tags:
    - attack.persistence
    - detection.emerging-threats
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\SOFTWARE\Classes\.wav\OpenWithProgIds\'
    filter_main_wav:
        - TargetObject|endswith: '.AssocFile.WAV'
        - TargetObject|contains: '.wav.'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Some additional tuning might be required to tune out legitimate processes that write to this key by default
level: medium

Stages and Predicates

Stage 0: condition

selection and not 1 of filter_main_*

Stage 1: selection

selection:
    TargetObject|contains: '\SOFTWARE\Classes\.wav\OpenWithProgIds\'

Stage 2: not filter_main_wav

filter_main_wav:
    - TargetObject|endswith: '.AssocFile.WAV'
    - TargetObject|contains: '.wav.'

Exclusions

Top-level NOT(...) conjuncts: predicates this rule actively suppresses.

StageFieldKindExcluded values
2TargetObjectends_with.AssocFile.WAV
2TargetObjectmatch.wav.

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
TargetObjectmatch
  • \SOFTWARE\Classes\.wav\OpenWithProgIds\