ioc_windows_registry_malware_sdbot this is a scheduled query to detect sdbot malware.
Sophos protection capabilities should be protecting you from this, but if you run a test environment and disable the protection capabilities than this IOC will notify you when the malware is present.
SCHEMA
| description | string | Plugin description text |
| event_time | long | The time (unix epoch) the value was set |
| event_type | int | The event type |
| key_name | string | The registry key path and name |
| sophos_pid | string | The process ID that produced the registry event and its start time creating a unique identifier |
| value | string | The stored registry value |
| value_name | string | The name of the value that was set |
| value_type | string | Static REG_BINARY |
-- ioc_windows_registry_malware_sdbot INFO SELECT -- Device ID DETAILS meta_hostname, meta_ip_address, -- Query Details query_name, description, event_time, event_type, key_name, sophos_pid, value, value_name, value_type, -- Decoration meta_boot_time, meta_eid, meta_endpoint_type, meta_ip_mask, meta_mac_address, meta_os_name, meta_os_platform, meta_os_type, meta_os_version, meta_public_ip, meta_query_pack_version, meta_username, --- Generic calendar_time, counter, epoch, host_identifier, numerics osquery_action, unix_time, -- Data Lake customer_id, endpoint_id, upload_size FROM xdr_data WHERE query_name = 'ioc_windows_registry_malware_sdbot'
Someone can test this but PLEASE only in a restricted environment the SDBot worm is very dangerous !!
