
Summary
This detection rule monitors and identifies unauthorized modifications to Windows registry keys that are related to the ValleyRAT command-and-control (C2) configuration. By focusing on specific registry paths such as `\Console\IpDateInfo` and `\Console\SelfPath`, the rule detects changes where ValleyRAT is known to store its C2 server's IP address and executable path. The rule utilizes Sysmon Event IDs 12 and 13 to gather registry modifications. Detecting these changes is crucial, as they indicate attempts by the malware to maintain persistent connections with its C2 server, which could lead to data exfiltration or unauthorized control over compromised systems. The implementation relies on correctly ingesting logs with the necessary registry details from Sysmon-equipped endpoints, enhancing proactive measures against ValleyRAT's malicious activities.
Categories
- Windows
- Endpoint
Data Sources
- Process
- Windows Registry
ATT&CK Techniques
- T1112
Created: 2024-11-13