2017-05-13 08:40:41 +00:00
|
|
|
title: WannaCry Ransomware via Sysmon
|
2017-05-12 19:57:53 +00:00
|
|
|
status: experimental
|
2017-05-13 08:40:41 +00:00
|
|
|
description: Detects WannaCry ransomware activity via Sysmon
|
2017-05-12 21:02:13 +00:00
|
|
|
reference: https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
|
2017-05-12 19:57:53 +00:00
|
|
|
author: Florian Roth (rule), Tom U. @c_APT_ure (collection)
|
|
|
|
|
logsource:
|
|
|
|
|
product: windows
|
|
|
|
|
service: sysmon
|
|
|
|
|
detection:
|
|
|
|
|
selection1:
|
|
|
|
|
EventID: 1
|
|
|
|
|
Image:
|
|
|
|
|
- '*\tasksche.exe'
|
|
|
|
|
- '*\mssecsvc.exe'
|
|
|
|
|
- '*\taskdl.exe'
|
2017-05-13 16:33:51 +00:00
|
|
|
- '*\@WanaDecryptor@*'
|
2017-05-12 19:57:53 +00:00
|
|
|
- '*\taskhsvc.exe'
|
|
|
|
|
- '*\taskse.exe'
|
2017-05-13 08:40:41 +00:00
|
|
|
- '*\111.exe'
|
|
|
|
|
- '*\lhdfrgui.exe'
|
|
|
|
|
- '*\diskpart.exe' # Rare, but can be false positive
|
|
|
|
|
- '*\linuxnew.exe'
|
|
|
|
|
- '*\wannacry.exe'
|
2017-05-12 19:57:53 +00:00
|
|
|
selection2:
|
|
|
|
|
EventID: 1
|
|
|
|
|
CommandLine:
|
2017-05-13 08:40:41 +00:00
|
|
|
- '*vssadmin delete shadows*'
|
|
|
|
|
- '*icacls * /grant Everyone:F /T /C /Q*'
|
|
|
|
|
- '*bcdedit /set {default} recoveryenabled no*'
|
2017-05-12 19:57:53 +00:00
|
|
|
- '*wbadmin delete catalog -quiet*'
|
2017-05-13 16:33:51 +00:00
|
|
|
- '*@Please_Read_Me@.txt*'
|
2017-05-12 19:57:53 +00:00
|
|
|
condition: selection1 or selection2
|
|
|
|
|
falsepositives:
|
2017-05-13 08:40:41 +00:00
|
|
|
- Diskpart.exe usage to manage partitions on the local hard drive
|
2017-05-12 19:57:53 +00:00
|
|
|
level: critical
|
2017-05-12 20:32:40 +00:00
|
|
|
|
2017-05-13 16:33:51 +00:00
|
|
|
|
