sigmaDRL-1.1from SigmaHQ/sigma
Potential Ransomware Activity Using LegalNotice Message
Detect changes to the "LegalNoticeCaption" or "LegalNoticeText" registry values where the message set contains keywords often used in ransomware ransom messages
Quality
100
FP risk
—
Forks
0
Views
0
ATT&CK techniques
Rule sourcerules/windows/registry/registry_set/registry_set_legalnotice_susp_message.yml
title: Potential Ransomware Activity Using LegalNotice Message
id: 8b9606c9-28be-4a38-b146-0e313cc232c1
status: test
description: Detect changes to the "LegalNoticeCaption" or "LegalNoticeText" registry values where the message set contains keywords often used in ransomware ransom messages
references:
- https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1491.001/T1491.001.md
author: frack113
date: 2022-12-11
modified: 2023-08-17
tags:
- attack.impact
- attack.t1491.001
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|contains:
- '\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption'
- '\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText'
Details|contains:
- 'encrypted'
- 'Unlock-Password'
- 'paying'
condition: selection
falsepositives:
- Unknown
level: high