valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

refactor: additional pattern, extended description

Browse Source
This commit is contained in:
Florian Roth 2021-07-03 17:03:40 +02:00
parent 57b816f49d
commit 1d82ac50e4
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
rules/windows/process_creation/win_apt_revil_kaseya.yml
View File

@ -1,7 +1,7 @@
title: REvil Kaseya Incident Malware Patterns
id: 5de632bc-7fbd-4c8a-944a-fce55c59eae5
status: experimental
description: Detects process command line patterns and locations used by REvil group in Kaseya incident
description: Detects process command line patterns and locations used by REvil group in Kaseya incident (can also match on other malware)
references:
- https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers
- https://www.joesandbox.com/analysis/443736/0/html
@ -22,6 +22,7 @@ detection:
- 'Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled'
- 'del /q /f c:\kworking\agent.crt'
- 'Kaseya VSA Agent Hot-fix'
- '\AppData\Local\Temp\MsMpEng.exe'
selection2:
Image:
- 'C:\Windows\MsMpEng.exe'