mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-09 02:26:48 +00:00
26 lines
841 B
YAML
26 lines
841 B
YAML
|
title: Wannacry Killswitch Domain
|
||
|
id: c64c5175-5189-431b-a55e-6d9882158251
|
||
|
status: experimental
|
||
|
description: Detects wannacry killswitch domain dns queries
|
||
|
references:
|
||
|
- https://www.fireeye.com/blog/products-and-services/2017/05/wannacry-ransomware-campaign.html
|
||
|
author: Mike Wade
|
||
|
date: 2020/09/16
|
||
|
tags:
|
||
|
- attack.command_and_control
|
||
|
- attack.t1071.001
|
||
|
logsource:
|
||
|
category: dns
|
||
|
detection:
|
||
|
selection:
|
||
|
query:
|
||
|
- 'ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.testing'
|
||
|
- 'ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.test'
|
||
|
- 'ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com'
|
||
|
- 'ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf.com'
|
||
|
- 'iuqssfsodp9ifjaposdfjhgosurijfaewrwergwea.com'
|
||
|
- ''
|
||
|
condition: selection
|
||
|
falsepositives:
|
||
|
- Analyst testing
|
||
|
level: high
|