sigmahighHunting

HackTool - RedMimicry Winnti Playbook Execution

Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility

MITRE ATT&CK

executiondefense-evasion

Detection Query

selection:
  Image|endswith:
    - \rundll32.exe
    - \cmd.exe
  CommandLine|contains:
    - gthread-3.6.dll
    - \Windows\Temp\tmp.bat
    - sigcmm-2.4.dll
condition: selection

Author

Alexander Rausch

Created

2020-06-24

Data Sources

windowsProcess Creation Events

Platforms

windows

References

https://redmimicry.com/posts/redmimicry-winnti/

Tags

attack.executionattack.defense-evasionattack.t1106attack.t1059.003attack.t1218.011

Raw Content

title: HackTool - RedMimicry Winnti Playbook Execution
id: 95022b85-ff2a-49fa-939a-d7b8f56eeb9b
status: test
description: Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility
references:
    - https://redmimicry.com/posts/redmimicry-winnti/
author: Alexander Rausch
date: 2020-06-24
modified: 2023-03-01
tags:
    - attack.execution
    - attack.defense-evasion
    - attack.t1106
    - attack.t1059.003
    - attack.t1218.011
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        Image|endswith:
            - '\rundll32.exe'
            - '\cmd.exe'
        CommandLine|contains:
            - 'gthread-3.6.dll'
            - '\Windows\Temp\tmp.bat'
            - 'sigcmm-2.4.dll'
    condition: selection
falsepositives:
    - Unknown
level: high