Updated Petya rule

2024-11-07 01:45:21 +00:00 · 2017-06-28 12:52:58 +02:00 · 2017-06-28 12:52:58 +02:00 · 950a00f33e
commit 950a00f33e
parent ece1d7e3a8
1 changed files with 6 additions and 2 deletions
--- a/rules/windows/malware/sysmon_malware_notpetya.yml
+++ b/rules/windows/malware/sysmon_malware_notpetya.yml
@ -1,7 +1,7 @@
 title: NotPetya Ransomware Activity
 status: experimental
 description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil
-author: Florian Roth
+author: Florian Roth, Tom Ueltschi
 reference: 
    - https://securelist.com/schroedingers-petya/78870/
    - https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100
@ -20,9 +20,13 @@ detection:
        EventID: 1
        Image: '*\wevtutil.exe'
        CommandLine: '* cl *'
+    rundll32_dash1:
+        EventID: 1
+        Image: '*\rundll32.exe'
+        CommandLine: '*.dat,#1'       
    perfc_keyword:
        - '*\perfc.dat*'
-    condition: fsutil_clean_journal or pipe_com or event_clean or perfc_keyword
+    condition: fsutil_clean_journal or pipe_com or event_clean or rundll32_dash1 or perfc_keyword
 falsepositives:
    - Admin activity
 level: critical