valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
55e66b1843
SigmaHQ/rules/windows/process_creation/win_ransomware_shadowcopy.yml

25 lines
879 B
YAML
Raw Normal View History

rule: reworked vssadmin rule
2019-08-04 09:27:03 +00:00
title: Ransomware Deletes Volume Shadow Copies
Added UUIDs to rules
2019-11-12 22:12:27 +00:00
id: 4eebe114-4b24-4a9d-9a6c-c7bd7c8eaa61
Rule: Split up WanaCry rule into two separate rules
2019-06-02 07:51:45 +00:00
status: experimental
rule: reworked vssadmin rule
2019-08-04 09:27:03 +00:00
description: Detects commands that delete all local volume shadow copies as used by different Ransomware families
Rule: Split up WanaCry rule into two separate rules
2019-06-02 07:51:45 +00:00
references:
rule: reworked vssadmin rule
2019-08-04 09:27:03 +00:00
- https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/
Rule: Split up WanaCry rule into two separate rules
2019-06-02 07:51:45 +00:00
- https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
author: Florian Roth
date: 2019/06/01
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine:
- '*vssadmin delete shadows*'
Rule: added wmic SHADOWCOPY DELETE
2019-06-02 08:56:13 +00:00
- '*wmic SHADOWCOPY DELETE*'
Rule: Split up WanaCry rule into two separate rules
2019-06-02 07:51:45 +00:00
condition: selection
fields:
- CommandLine
- ParentCommandLine
falsepositives:
- Adminsitrative scripts - e.g. to prepare image for golden image creation
level: critical
Reference in New Issue Copy Permalink