2019-05-24 20:17:36 +00:00
|
|
|
title: WannaCry Ransomware
|
2019-11-12 22:12:27 +00:00
|
|
|
id: 41d40bff-377a-43e2-8e1b-2e543069e079
|
2019-01-16 22:36:31 +00:00
|
|
|
status: experimental
|
2019-05-24 20:17:36 +00:00
|
|
|
description: Detects WannaCry ransomware activity
|
2019-01-16 22:36:31 +00:00
|
|
|
references:
|
2019-03-01 23:14:20 +00:00
|
|
|
- https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
|
2019-01-16 22:36:31 +00:00
|
|
|
author: Florian Roth (rule), Tom U. @c_APT_ure (collection)
|
|
|
|
|
logsource:
|
2019-03-01 23:14:20 +00:00
|
|
|
category: process_creation
|
|
|
|
|
product: windows
|
2019-01-16 22:36:31 +00:00
|
|
|
detection:
|
2019-03-01 23:14:20 +00:00
|
|
|
selection1:
|
|
|
|
|
Image:
|
|
|
|
|
- '*\tasksche.exe'
|
|
|
|
|
- '*\mssecsvc.exe'
|
|
|
|
|
- '*\taskdl.exe'
|
|
|
|
|
- '*\@WanaDecryptor@*'
|
2019-05-24 20:17:36 +00:00
|
|
|
- '*\WanaDecryptor*'
|
2019-03-01 23:14:20 +00:00
|
|
|
- '*\taskhsvc.exe'
|
|
|
|
|
- '*\taskse.exe'
|
|
|
|
|
- '*\111.exe'
|
|
|
|
|
- '*\lhdfrgui.exe'
|
|
|
|
|
- '*\diskpart.exe'
|
|
|
|
|
- '*\linuxnew.exe'
|
|
|
|
|
- '*\wannacry.exe'
|
|
|
|
|
selection2:
|
|
|
|
|
CommandLine:
|
|
|
|
|
- '*icacls * /grant Everyone:F /T /C /Q*'
|
|
|
|
|
- '*bcdedit /set {default} recoveryenabled no*'
|
|
|
|
|
- '*wbadmin delete catalog -quiet*'
|
|
|
|
|
- '*@Please_Read_Me@.txt*'
|
|
|
|
|
condition: 1 of them
|
2019-01-16 22:36:31 +00:00
|
|
|
fields:
|
2019-03-01 23:14:20 +00:00
|
|
|
- CommandLine
|
|
|
|
|
- ParentCommandLine
|
2019-01-16 22:36:31 +00:00
|
|
|
falsepositives:
|
2019-03-01 23:14:20 +00:00
|
|
|
- Diskpart.exe usage to manage partitions on the local hard drive
|
2019-01-16 22:36:31 +00:00
|
|
|
level: critical
|
