Toneshell Registry Activity

Rule Info

Name
Toneshell Registry Activity
Author
X__Junior
Description
Detects 'Demeter' registry key used to store a randomly generated victim identifier used by 'Toneshell' malware
Reference
https://web-assets.esetstatic.com/wls/en/papers/white-papers/ceranakeeper.pdf
Date
2024-10-05 00:00:00
Modified
None
Id
fb776a64-4c24-4392-8f64-f5b6901665d5
Tags
attack.collection attack.t1125 attack.t1123
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022