sigmaDRL-1.1from SigmaHQ/sigma
HackTool - RedMimicry Winnti Playbook Execution
Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility
Quality
88
FP risk
—
Forks
0
Views
0
Rule sourcerules/windows/process_creation/proc_creation_win_hktl_redmimicry_winnti_playbook.yml
title: HackTool - RedMimicry Winnti Playbook Execution
id: 95022b85-ff2a-49fa-939a-d7b8f56eeb9b
status: test
description: Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility
references:
- https://redmimicry.com/posts/redmimicry-winnti/
author: Alexander Rausch
date: 2020-06-24
modified: 2023-03-01
tags:
- attack.execution
- attack.defense-evasion
- attack.t1106
- attack.t1059.003
- attack.t1218.011
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith:
- '\rundll32.exe'
- '\cmd.exe'
CommandLine|contains:
- 'gthread-3.6.dll'
- '\Windows\Temp\tmp.bat'
- 'sigcmm-2.4.dll'
condition: selection
falsepositives:
- Unknown
level: high