Merge pull request #1617 from SigmaHQ/rule-devel

rule: REvil Kaseya patterns

rules/windows/process_creation/win_apt_revil_kaseya.yml

@@ -0,0 +1,34 @@
+title: REvil Kaseya Incident Malware Patterns
+id: 5de632bc-7fbd-4c8a-944a-fce55c59eae5
+status: experimental
+description: Detects process command line patterns and locations used by REvil group in Kaseya incident (can also match on other malware)
+references:
+    - https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers
+    - https://www.joesandbox.com/analysis/443736/0/html
+    - https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b
+    - https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/
+author: Florian Roth
+date: 2021/07/03
+tags:
+    - attack.execution
+    - attack.g0115
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection1:
+        CommandLine|contains:
+            - 'C:\Windows\cert.exe'
+            - 'Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled'
+            - 'del /q /f c:\kworking\agent.crt'
+            - 'Kaseya VSA Agent Hot-fix'
+            - '\AppData\Local\Temp\MsMpEng.exe'
+    selection2:
+        Image: 
+            - 'C:\Windows\MsMpEng.exe'
+            - 'C:\Windows\cert.exe'
+            - 'C:\kworking\agent.exe'
+    condition: selection1 and selection2
+falsepositives:
+    - Unknown
+level: critical