persist via GinaDLL registry key

edit on GitHub
search on VirusTotal

rule:
  meta:
    name: persist via GinaDLL registry key
    namespace: persistence/registry/ginadll
    authors:
      - michael.hunhoff@fireye.com
    scopes:
      static: function
      dynamic: thread
    att&ck:
      - Persistence::Event Triggered Execution [T1546]
    examples:
      - Practical Malware Analysis Lab 11-01.exe_:0x401000
  features:
    - and:
      - or:
        - match: set registry value
        - number: 0x80000002 = HKEY_LOCAL_MACHINE
      - string: /SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon/i
      - string: /GinaDLL/i

last edited: 2023-11-24 10:35:00