New rule: open-recentdocs-registry-key.yml (#938)

* Add rule get-process-filename.yml --------- Co-authored-by: Moritz <mr-tz@users.noreply.github.com>
mandiant · Oct 3, 2024 · 2317949 · 2317949
1 parent 003341b
commit 2317949
Showing 1 changed file with 21 additions and 0 deletions.
diff --git a/host-interaction/registry/open-recentdocs-registry-key.yml b/host-interaction/registry/open-recentdocs-registry-key.yml
@@ -0,0 +1,21 @@
+rule:
+ meta:
+ name: open RecentDocs registry key
+ namespace: host-interaction/registry
+ authors:
+ - matthew.williams@mandiant.com
+ description: In the example sample, a RecentDocs registry value was leveraged for anti-sandbox purposes. See the referenced Palo Alto blog for details.
+ scopes:
+ static: basic block
+ dynamic: call
+ mbc:
+ - Operating System::Registry::Open Registry Key [C0036.003]
+ references:
+ - https://www.magnetforensics.com/blog/what-is-mru-most-recently-used/
+ - https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/
+ examples:
+ - 86d8257ae56e5d8220a4e3f8396d944b5e9e41732b58ad7472276d78aea232fa_min_archive.zip
+ features:
+ - and:
+ - match: create or open registry key
+ - string: /SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs/i