Query Details
Forest Blizzard Custom Protocol Handler
Query
# Rule Documentation: Suspicious Registry Modification for Custom Protocol Handler (Windows) ## Description This detection rule aims to identify suspicious registry modifications associated with custom protocol handlers on Windows systems. Forest Blizzard, a threat actor group, has been known to utilize such techniques for persistence or to facilitate their malicious activities. Monitoring for these registry changes can help detect and mitigate potential threats. - [Detection.FYI on Registry Set for APT Forest Blizzard Custom Protocol Handler](https://detection.fyi/sigmahq/sigma/emerging-threats/2024/ta/forest-blizzard/registry_set_apt_forest_blizzard_custom_protocol_handler/) ## Detection Logic - Monitors `DeviceRegistryEvents` for registry value set actions. - Filters for registry keys associated with custom protocol handlers, particularly those modified or created by the threat actor group. ## Tags - Persistence - Custom Protocol Handler - APT Forest Blizzard ## Search Query ```kql DeviceRegistryEvents | where ActionType == "RegistryValueSet" | where RegistryKey contains "\\Classes\\PROTOCOLS\\Handler" | where RegistryKey endswith "rogue"
Explanation
This query looks for suspicious changes in the Windows registry related to custom protocol handlers that may be used by threat actors like Forest Blizzard. It monitors for actions where registry values are set, specifically focusing on keys associated with custom protocol handlers that may have been modified or created by the threat actor group.
Details
Ali Hussein
Released: May 20, 2024
Tables
DeviceRegistryEvents
Keywords
DeviceRegistryEvents,RegistryValueSet,RegistryKey,Classes,PROTOCOLS,Handler,ActionType,ForestBlizzard,CustomProtocolHandler,ThreatActor,Monitoring,Persistence,APT
Operators
wherecontainsendswith