New rule: open-recentdocs-registry-key.yml

mandiant · Sep 27, 2024 · 634895a · 634895a
1 parent 93ff8c0
commit 634895a
Showing 1 changed file with 21 additions and 0 deletions.
diff --git a/nursery/open-recentdocs-registry-key.yml b/nursery/open-recentdocs-registry-key.yml
@@ -0,0 +1,21 @@
+rule:
+  meta:
+    name: open RecentDocs registry key
+    namespace: host-interaction/registry
+    authors:
+      - matthew.williams@mandiant.com
+    description: In the example sample, a RecentDocs registry value was leveraged for anti-sandbox purposes. See the referenced Palo Alto blog for details.
+    scopes:
+      static: basic block
+      dynamic: call
+    mbc:
+      - Operating System::Registry::Open Registry Key [C0036.003]
+    references:
+      - https://www.magnetforensics.com/blog/what-is-mru-most-recently-used/
+      - https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/
+    # examples:
+      # - cb948b13a5046a692ec3ed8cc16a9566:0x140016dc9 (dynamic)
+  features:
+    - and:
+      - match: create or open registry key
+      - string: /SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs/i