← Back to SOC feed Coverage →

HackTool - RedMimicry Winnti Playbook Execution

sigma HIGH SigmaHQ
T1106T1059.003T1218.011
imProcessCreate
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-09T23:00:01Z · Confidence: medium

Hunt Hypothesis

Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility

Detection Rule

Sigma (Original)

title: HackTool - RedMimicry Winnti Playbook Execution
id: 95022b85-ff2a-49fa-939a-d7b8f56eeb9b
status: test
description: Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility
references:
    - https://redmimicry.com/posts/redmimicry-winnti/
author: Alexander Rausch
date: 2020-06-24
modified: 2023-03-01
tags:
    - attack.execution
    - attack.stealth
    - attack.t1106
    - attack.t1059.003
    - attack.t1218.011
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        Image|endswith:
            - '\rundll32.exe'
            - '\cmd.exe'
        CommandLine|contains:
            - 'gthread-3.6.dll'
            - '\Windows\Temp\tmp.bat'
            - 'sigcmm-2.4.dll'
    condition: selection
falsepositives:
    - Unknown
level: high

KQL (Azure Sentinel)

imProcessCreate
| where (TargetProcessName endswith "\\rundll32.exe" or TargetProcessName endswith "\\cmd.exe") and (TargetProcessCommandLine contains "gthread-3.6.dll" or TargetProcessCommandLine contains "\\Windows\\Temp\\tmp.bat" or TargetProcessCommandLine contains "sigcmm-2.4.dll")

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_redmimicry_winnti_playbook.yml