heroui logo

Windows Modify Registry ValleyRat PWN Reg Entry

Splunk Security Content

View Source
Summary
This rule detects modifications to the Windows Registry that specifically target `.pwn` file associations associated with ValleyRAT malware. ValleyRAT malware may create or modify registry entries to link `.pwn` files to malicious processes, allowing it to execute harmful scripts or commands upon opening these files. By monitoring for anomalous changes in registry keys relevant to `.pwn` extensions using Sysmon EventID 13, security analysts can identify potential attempts of ValleyRAT infections. Early detection of such modifications is crucial for mitigating unauthorized execution and preventing further exploitation of the affected system. The rule leverages Splunk's analytics engine to track specific registry paths and values related to these file associations.
Categories
  • Windows
  • Endpoint
Data Sources
  • File
  • Windows Registry
  • Application Log
ATT&CK Techniques
  • T1112
Created: 2024-12-16