Find AteraNetworks configuration details in the registry. This artifact is best combined with Windows.Forensics.FilenameSearch searching for the string “atera”.
name: Windows.Registry.AteraNetworks
description: |
Find AteraNetworks configuration details in the registry.
This artifact is best combined with Windows.Forensics.FilenameSearch
searching for the string "atera".
author: original author Eduardo Mattos - @eduardfir
reference:
- https://www.advanced-intel.com/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent
precondition:
SELECT * FROM info() where OS = 'windows'
parameters:
- name: SearchRegistryGlob
default: \HKEY_LOCAL_MACHINE\SOFTWARE\ATERA Networks\AlphaAgent\**
description: Use a glob to define the registry hives that will be searched.
sources:
- query: |
SELECT ModTime as LastModified,
FullPath,
Name as KeyName,
Data.value as KeyValue,
Data.type as KeyType
FROM glob(globs=SearchRegistryGlob, accessor='registry')
WHERE NOT Data.type = 'key'
column_types:
- name: Modified
type: timestamp