SigmaHQ/rules/network/net_wannacry_killswitch_domain.yml

26 lines
841 B
YAML
Raw Normal View History

2020-09-17 02:32:31 +00:00
title: Wannacry Killswitch Domain
id: c64c5175-5189-431b-a55e-6d9882158251
status: experimental
description: Detects wannacry killswitch domain dns queries
references:
- https://www.fireeye.com/blog/products-and-services/2017/05/wannacry-ransomware-campaign.html
author: Mike Wade
date: 2020/09/16
tags:
- attack.command_and_control
- attack.t1071.001
logsource:
category: dns
detection:
selection:
query:
- 'ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.testing'
- 'ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.test'
- 'ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com'
- 'ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf.com'
- 'iuqssfsodp9ifjaposdfjhgosurijfaewrwergwea.com'
- ''
condition: selection
falsepositives:
- Analyst testing
level: high